Microsoft's unified security operations platform planning overview
This article outlines activities to plan a deployment of Microsoft's security products to Microsoft's unified security operations platform for end-to-end security operations (SecOps). Unify your SecOps on Microsoft's platform to help you reduce risk, prevent attacks, detect and disrupt cyberthreats in real time, and respond faster with AI-enhanced security capabilities, all from the Microsoft Defender portal.
Plan your deployment
Microsoft's unified SecOps platform combines services like Microsoft Defender XDR, Microsoft Sentinel, Microsoft Security Exposure Management, and Microsoft Security Copilot in the Microsoft Defender portal.
The first step in planning your deployment is to select the services you want to use.
As a basic prerequisite, you'll need both Microsoft Defender XDR and Microsoft Sentinel to monitor and protect both Microsoft and non-Microsoft services and solutions, including both cloud and on-premises resources.
Deploy any of the following services to add security across your endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender XDR services include:
| Service | Description |
|---|---|
| Microsoft Defender for Identity | Identifies, detects, and investigates threats from both on-premises Active Directory and cloud identities like Microsoft Entra ID. |
| Microsoft Defender for Office 365 | Protects against threats posed by email messages, URL links, and Office 365 collaboration tools. |
| Microsoft Defender for Endpoint | Monitors and protects endpoint devices, detects and investigates device breaches, and automatically responds to security threats. |
| Enterprise IoT monitoring from Microsoft Defender for IoT | Provides both IoT device discovery and security value for IoT devices. |
| Microsoft Defender Vulnerability Management | Identifies assets and software inventory, and assesses device posture to find security vulnerabilities. |
| Microsoft Defender for Cloud Apps | Protects and controls access to SaaS cloud apps. |
Other services supported in the Microsoft Defender portal as part of Microsoft's unified SecOps platform, but not licensed with Microsoft Defender XDR, include:
| Service | Description |
|---|---|
| Microsoft Security Exposure Management | Provides a unified view of security posture across company assets and workloads, enriching asset information with security context. |
| Microsoft Security Copilot | Provides AI-driven insights and recommendations to enhance your security operations. |
| Microsoft Defender for Cloud | Protects multi-cloud and hybrid environments with advanced threat detection and response. |
| Microsoft Defender Threat Intelligence | Streamlines threat intelligence workflows by aggregating and enriching critical data sources to correlate indicators of compromise (IOCs) with related articles, actor profiles, and vulnerabilities. |
| Microsoft Entra ID Protection | Evaluates risk data from sign-in attempts to evaluate the risk of each sign-in to your environment. |
Review service prerequisites
Before you deploy Microsoft's unified security operations platform, review the prerequisites for each service you plan to use. The following table lists the services and links to their prerequisites:
| Security service | Link to prerequisites |
|---|---|
| Required for unified SecOps | |
| Microsoft Defender XDR and Microsoft Defender for Office | Microsoft Defender XDR prerequisites |
| Microsoft Sentinel | Prerequisites to deploy Microsoft Sentinel |
| Optional Microsoft Defender XDR services | |
| Microsoft Defender for Identity | Microsoft Defender for Identity prerequisites |
| Microsoft Defender for Endpoint | Set up Microsoft Defender for Endpoint deployment |
| Enterprise monitoring with Microsoft Defender for IoT | Prerequisites for Enterprise IoT security |
| Microsoft Defender Vulnerability Management | Prerequisites & Permissions for Microsoft Defender Vulnerability Management |
| Microsoft Defender for Cloud Apps | Get started with Microsoft Defender for Cloud Apps |
| Other services supported in the Microsoft Defender portal | |
| Microsoft Security Exposure Management | Prerequisites and support |
| Microsoft Security Copilot | Minimum requirements |
| Microsoft Defender for Cloud | Start planning multicloud protection and other articles in the same section. |
| Microsoft Defender Threat Intelligence | Prerequisites for Defender Threat Intelligence |
| Microsoft Entra ID Protection | Prerequisites for Microsoft Entra ID Protection |
Plan your Log Analytics workspace architecture
To use Microsoft's unified SecOps platform, you need a Log Analytics workspace enabled for Microsoft Sentinel. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements. Microsoft's unified SecOps platform supports only a single workspace.
Design the Log Analytics workspace you want to enable for Microsoft Sentinel. Consider parameters such as any compliance requirements you have for data collection and storage and how to control access to Microsoft Sentinel data.
For more information, see:
Plan Microsoft Sentinel costs and data sources
Microsoft's unified SecOps platform ingests data from first-party Microsoft services, such as Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud. We recommend expanding your coverage to other data sources in your environment by adding Microsoft Sentinel data connectors.
Determine your data sources
Determine the full set of data sources you'll be ingesting data from, and the data size requirements to help you accurately project your deployment's budget and timeline. You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel.
For example, you might want to use any of the following recommended data sources:
Azure services: If any of the following services are deployed in Azure, use the following connectors to send these resources' Diagnostic Logs to Microsoft Sentinel:
- Azure Firewall
- Azure Application Gateway
- Keyvault
- Azure Kubernetes Service
- Azure SQL
- Network Security Groups
- Azure-Arc Servers
We recommend that you set up Azure Policy to require that their logs be forwarded to the underlying Log Analytics workspace. For more information, see Create diagnostic settings at scale using Azure Policy.
Virtual machines: For virtual machines hosted on-premises or in other clouds that require their logs collected, use the following data connectors:
- Windows Security Events using AMA
- Events via Defender for Endpoint (for server)
- Syslog
Network virtual appliances / on-premises sources: For network virtual appliances or other on-premises sources that generate Common Event Format (CEF) or SYSLOG logs, use the following data connectors:
- Syslog via AMA
- Common Event Format (CEF) via AMA
For more information, see Prioritize data connectors.
Plan your budget
Plan your Microsoft Sentinel budget, considering cost implications for each planned scenario. Make sure that your budget covers the cost of data ingestion for both Microsoft Sentinel and Azure Log Analytics, any playbooks that will be deployed, and so on. For more information, see:
- Log retention plans in Microsoft Sentinel
- Plan costs and understand Microsoft Sentinel pricing and billing
Plan roles and permissions
Use Microsoft Entra role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to services included in Microsoft's unified SecOps platform.
The Microsoft Defender XDR Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across several security solutions. For more information, see Microsoft Defender XDR Unified role-based access control (RBAC).
For the following services, use the different roles available, or create custom roles, to give you fine-grained control over what users can see and do. For more information, see:
| Security service | Link to role requirements |
|---|---|
| Required for unified SecOps | |
| Microsoft Defender XDR | Manage access to Microsoft Defender XDR with Microsoft Entra global roles |
| Microsoft Sentinel | Roles and permissions in Microsoft Sentinel |
| Optional Microsoft Defender XDR services | |
| Microsoft Defender for Identity | Microsoft Defender for Identity role groups |
| Microsoft Defender for Office | Microsoft Defender for Office 365 permissions in the Microsoft Defender portal |
| Microsoft Defender for Endpoint | Assign roles and permissions for Microsoft Defender for Endpoint deployment |
| Microsoft Defender Vulnerability Management | Relevant permission options for Microsoft Defender Vulnerability Management |
| Microsoft Defender for Cloud Apps | Configure admin access for Microsoft Defender for Cloud Apps |
| Other services supported in the Microsoft Defender portal | |
| Microsoft Security Exposure Management | Permissions for Microsoft Security Exposure Management |
| Microsoft Defender for Cloud | User roles and permissions |
Plan Zero Trust activities
Microsoft's unified SecOps platform is part of Microsoft's Zero Trust security model, which includes the following principles:
| Principle | Description |
|---|---|
| Verify explicitly | Always authenticate and authorize based on all available data points. |
| Use least privilege access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. |
| Assume breach | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. |
Zero Trust security is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing least-privileged access, and using advanced analytics to detect and respond to threats.
For more information about implementing Zero Trust principles in Microsoft's unified SecOps platform, see Zero Trust content for the following services:
- Microsoft Defender XDR
- Microsoft Sentinel
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Microsoft Security Exposure Management
- Microsoft Defender for Cloud
- Microsoft Security Copilot
- Microsoft Entra ID Protection