Step 2. Architect your Microsoft Sentinel workspace
Deploying the Microsoft Sentinel environment involves designing a workspace configuration to meet your security and compliance requirements. The provisioning process includes creating Log Analytics workspaces and configuring the appropriate Microsoft Sentinel options.
This article provides recommendations on how to design and implement Microsoft Sentinel workspaces for the principles of Zero Trust.
Step 1: Design a governance strategy
If your organization has many Azure subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope for subscriptions. When you organize your subscriptions within management groups, the governance conditions you configure for a management group apply to the subscriptions it contains. For more information, see Organize your resources with management groups.
For example, the Microsoft Sentinel workspace in the following diagram is in the Security subscription under the Platform management group, which is part of the Microsoft Entra ID tenant.
The Security Azure subscription and the Microsoft Sentinel workspace inherit the role-based access control (RBAC) and Azure policies that are applied to the Platform management group.
Step 2: Create Log Analytics workspaces
To use Microsoft Sentinel, the first step is to create your Log Analytics workspaces. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements.
It's a best practice to create separate workspaces for the operational and security data for data ownership and cost management for Microsoft Sentinel. For example, if there’s more than one person administering operational and security roles, your first decision for Zero Trust is whether to create separate workspaces for those roles.
The unified security operations platform, which provides access to Microsoft Sentinel in the Defender portal, supports only a single workspace.
For more information, see Contoso's sample solution for separate workspaces for operation and security roles.
Log Analytics workspace design considerations
For a single tenant, there are two ways Microsoft Sentinel workspaces can be configured:
Single tenant with a single Log Analytics workspace. In this case, the workspace becomes the central repository for logs across all resources within the tenant.
Advantages:
- Central consolidation of logs.
- Easier to query information.
- Azure role-based access control (Azure RBAC) to control access to Log Analytics and Microsoft Sentinel. For more information, see Manage access to Log Analytics workspaces - Azure Monitor, and Roles and permissions in Microsoft Sentinel.
Disadvantages:
- May not meet governance requirements.
- There's a bandwidth cost between regions.
Single tenant with regional Log Analytics workspaces.
Advantages:
- No cross-region bandwidth costs.
- May be required to meet governance.
- Granular data access control.
- Granular retention settings.
- Split billing.
Disadvantages:
- No central pane of glass.
- Analytics, workbooks, and other configurations must be deployed multiple times.
For more information, see Design a Log Analytics workspace architecture.
Step 3: Architect the Microsoft Sentinel workspace
Onboarding Microsoft Sentinel requires selecting a Log Analytics workspace. The following are considerations for setting up Log Analytics for Microsoft Sentinel:
Create a Security resource group for governance purposes, which allows you to isolate Microsoft Sentinel resources and role-based access to the collection. For more information, see Design a Log Analytics workspace architecture.
Create a Log Analytics workspace in the Security resource group and onboard Microsoft Sentinel into it. This automatically gives you 31 days of data ingestion up to 10 Gb a day free as part of a free trial.
Set your Log Analytics Workspace supporting Microsoft Sentinel to 90 day retention at a minimum.
Once you onboard Microsoft Sentinel to a Log Analytics workspace, you get 90 days of data retention at no extra cost, and ensure a 90-day rollover of log data. You'll incur costs for the total amount of data in the workspace after 90 days. You might consider retaining log data for longer based on governmental requirements. For more information, see Create Log Analytics workspaces and Quickstart: Onboard in Microsoft Sentinel.
Zero Trust with Microsoft Sentinel
To implement zero-trust architecture, consider extending the workspace to query and analyze your data across workspaces and tenants. Use Sample Microsoft Sentinel workspace designs and Extend Microsoft Sentinel across workspaces and tenants to determine best workspace design for your organization.
In addition, use the Cloud Roles and Operations Management prescriptive guidance and its Excel spreadsheet (download). From this guide, the Zero Trust tasks to consider for Microsoft Sentinel are:
- Define Microsoft Sentinel RBAC roles with associated Microsoft Entra groups.
- Validate that implemented access practices to Microsoft Sentinel still meet your organization’s requirements.
- Consider the use of customer-managed keys.
Zero Trust with RBAC
To comply with Zero Trust, we recommend that you configure Azure RBAC based on the resources that are allowed to your users instead of providing them with access to the entire Microsoft Sentinel environment.
The following table lists some of the Microsoft Sentinel-specific roles.
| Role name | Description |
|---|---|
| Microsoft Sentinel Reader | View data, incidents, workbooks, and other Microsoft Sentinel resources. |
| Microsoft Sentinel Responder | In addition to the capabilities of the Microsoft Sentinel Reader role, manage incidents (assign, dismiss, etc.). This role is applicable to user types of security analysts. |
| Microsoft Sentinel Playbook Operator | List, view, and manually run playbooks. This role is also applicable to user types of security analysts. This role is for granting a Microsoft Sentinel responder the ability to run Microsoft Sentinel playbooks with the least amount of privilege. |
| Microsoft Sentinel Contributor | In addition to the capabilities of the Microsoft Sentinel Playbook Operator role, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources. This role is applicable to user types of security engineers. |
| Microsoft Sentinel Automation Contributor | Allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts. |
When you assign Microsoft Sentinel-specific Azure roles, you might come across other Azure and Log Analytics roles that might have been assigned to users for other purposes. For example, the Log Analytics Contributor and Log Analytics Reader roles grant access to a Log Analytics workspace.
For more information, see Roles and permissions in Microsoft Sentinel and Manage access to Microsoft Sentinel data by resource.
Zero Trust in multitenant architectures with Azure Lighthouse
Azure Lighthouse enables multitenant management with scalability, higher automation, and enhanced governance across resources. With Azure Lighthouse you can manage multiple Microsoft Sentinel instances across Microsoft Entra tenants at scale. Here’s an example.
With Azure Lighthouse, you can run queries across multiple workspaces or create workbooks to visualize and monitor data from your connected data sources and gain extra insight. It’s important to consider Zero Trust principles. See Recommended security practices to implement least privileges access controls for Azure Lighthouse.
Consider the following questions when implementing security best practices for Azure Lighthouse:
- Who is responsible for data ownership?
- What are the data isolation and compliance requirements?
- How will you implement least privileges across tenants?
- How will multiple data connectors in multiple Microsoft Sentinel workspaces be managed?
- How to monitor office 365 environments?
- How to protect intellectual properties–for example, playbooks, notebooks, analytics rules–across tenants?
See Manage Microsoft Sentinel workspaces at scale: Granular Azure RBAC for the security best practices of Microsoft Sentinel and Azure Lighthouse.
Onboard your workspace to the unified security operations platform
If you're working with a single workspace, we recommend that you onboard your workspace to the unified security operations platform to view all your Microsoft Sentinel data together with XDR data in the Microsoft Defender portal.
The unified security operations platform also provides improved capabilities, such as automatic attack disruption for SAP system, unified queries from the Defender Advanced hunting page, and unified incidents and entities across both Microsoft Defender and Microsoft Sentinel.
For more information, see:
- Connect Microsoft Sentinel to Microsoft Defender XDR
- Microsoft Sentinel in the Microsoft Defender portal
Recommended training
Training content doesn't currently cover the unified security operations platform.
Introduction to Microsoft Sentinel
| Training | Introduction to Microsoft Sentinel |
|---|---|
|
Learn how Microsoft Sentinel enables you to start getting valuable security insights from your cloud and on-premises data quickly. |
Configure your Microsoft Sentinel environment
| Training | Configure your Microsoft Sentinel environment |
|---|---|
|
Get started with Microsoft Sentinel by properly configuring the Microsoft Sentinel workspace. |
Create and manage Microsoft Sentinel workspaces
| Training | Create and manage Microsoft Sentinel workspaces |
|---|---|
|
Learn about the architecture of Microsoft Sentinel workspaces to ensure you configure your system to meet your organization's security operations requirements. |
Next step
Continue with Step 3 to configure Microsoft Sentinel to ingest data sources and configure incident detection.
References
Refer to these links to learn about the services and technologies mentioned in this article.
| Service area | Learn more |
|---|---|
| Microsoft Sentinel | - Quickstart: Onboard in Microsoft Sentinel - Manage access to Microsoft Sentinel data by resource |
| Microsoft Sentinel governance | - Organize your resources with management groups - Roles and permissions in Microsoft Sentinel |
| Log Analytics workspaces | - Design a Log Analytics workspace architecture - Design criteria for Log Analytics workspaces - Contoso's solution - Manage access to Log Analytics workspaces - Azure Monitor - Design a Log Analytics workspace architecture - Create Log Analytics workspaces |
| Microsoft Sentinel workspaces and Azure Lighthouse | - Manage Microsoft Sentinel workspaces at scale: Granular Azure RBAC - Recommended security practices |