![]() This workspace will only contain data that's not needed by Contoso’s SOC team, such as the Perf, InsightsMetrics, or ContainerLog tables. The resulting Microsoft Sentinel workspace design for Contoso is illustrated in the following image:Ī separate Log Analytics workspace for the Contoso Operations team. Therefore, in this case, bandwidth costs aren't a concern.Ĭontoso has a single SOC team that will be using Microsoft Sentinel, so no extra separation is needed.Īll members of Contoso's SOC team will have access to all the data, so no extra separation is needed. Most Contoso's VMs are the EU North region, where they already have a workspace. Also, SOC data accounts for approximately 250 GB/day, so they should use separate workspaces for the sake of cost efficiency. Non-SOC data ingestion is less than 100 GB/day, so we can continue to step 2, and making sure to select the relevant option in step 5.Ĭontoso has regulatory requirements, so we need at least one Microsoft Sentinel workspace in Europe.Ĭontoso has two different Microsoft Entra tenants, and collects from tenant-level data sources, like Office 365 and Microsoft Entra sign-in and audit logs, so we need at least one workspace per tenant.Ĭontoso doesn't need charge-back, so we can continue with step 5.Ĭontoso does need to collect non-SOC data, although there isn't any overlap between SOC and non-SOC data. The following steps apply the Microsoft Sentinel workspace design decision tree to determine the best workspace design for Contoso:Ĭontoso already has an existing workspace, so we can explore enabling Microsoft Sentinel in that same workspace. The Operations team must not have access to the new logs that are collected in Microsoft Sentinel. The Contoso Operations team needs to have access to all the logs that they currently have in the workspace, which include several data types not needed by the SOC, such as Perf, InsightsMetrics, ContainerLog, and more. This workspace is located in Contoso Microsoft Entra tenant, within EU North region, and is being used to collect logs from Azure VMs in all regions. Contoso access requirementsĬontoso’s Azure environment already has a single existing Log Analytics workspace used by the Operations team to monitor the infrastructure. Contoso uses Microsoft Defender for servers on all their Azure VMs.Ĭontoso expects to ingest around 300 GB/day from all of their data sources. Multiple Azure PaaS resources, such as Azure Firewall, AKS, Key Vault, Azure Storage, and Azure SQLĪzure VMs are mostly located in the EU North region, with only a few in US East and West Japan.CEF, from multiple on-premises networking devices, such as Palo Alto, Cisco ASA, and Cisco Meraki.Syslog, from both on-premises and Azure VM sources.Windows Security Events, from both on-premises and Azure VM sources.Each tenant has its own Office 365 instance and multiple Azure subscriptions, as shown in the following image:Ĭontoso compliance and regional deploymentĬontoso currently has Azure resources hosted in three different regions: US East, EU North, and West Japan, and strict requirement to keep all data generated in Europe within Europe regions.īoth of Contoso's Microsoft Entra tenants have resources in all three regions: US East, EU North, and West Japan Contoso resource types and collection requirementsĬontoso needs to collect events from the following data sources: Contoso tenantsĭue to an acquisition several years ago, Contoso has two Microsoft Entra tenants: and. Recently, Contoso has migrated their productivity suite to Office 365, with many workloads migrated to Azure. ![]() Contoso has offices around the world, with important hubs in New York City and Tokyo. The Contoso Corporation is a multinational business with headquarters in London. This article is part of the Deployment guide for Microsoft Sentinel. ![]() For more information, see Microsoft Sentinel workspace architecture best practices. The samples in this article use the Microsoft Sentinel workspace design decision tree to determine the best workspace design for each organization. ![]() Multiple tenants, with multiple regions and centralized security.Multiple-tenants and regions, with European Data Sovereignty requirements.This article describes suggested workspace designs for organizations with the following sample requirements: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |