Jaa


Step 2. Architect your Microsoft Sentinel workspace

Deploying the Microsoft Sentinel environment involves designing a workspace configuration to meet your security and compliance requirements. The provisioning process includes creating Log Analytics workspaces and configuring the appropriate Microsoft Sentinel options.

This article provides recommendations on how to design and implement Microsoft Sentinel workspaces for the principles of Zero Trust.

Step 1: Design a governance strategy

If your organization has many Azure subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope for subscriptions. When you organize your subscriptions within management groups, the governance conditions you configure for a management group apply to the subscriptions it contains. For more information, see Organize your resources with management groups.

For example, the Microsoft Sentinel workspace in the following diagram is in the Security subscription under the Platform management group, which is part of the Microsoft Entra ID tenant.

Diagram of an example Microsoft Sentinel workspace in a Microsoft Entra ID tenant.

The Security Azure subscription and the Microsoft Sentinel workspace inherit the role-based access control (RBAC) and Azure policies that are applied to the Platform management group.

Step 2: Create Log Analytics workspaces

To use Microsoft Sentinel, the first step is to create your Log Analytics workspaces. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements.

It's a best practice to create separate workspaces for the operational and security data for data ownership and cost management for Microsoft Sentinel. For example, if there’s more than one person administering operational and security roles, your first decision for Zero Trust is whether to create separate workspaces for those roles.

The unified security operations platform, which provides access to Microsoft Sentinel in the Defender portal, supports only a single workspace.

For more information, see Contoso's sample solution for separate workspaces for operation and security roles.

Log Analytics workspace design considerations

For a single tenant, there are two ways Microsoft Sentinel workspaces can be configured:

  • Single tenant with a single Log Analytics workspace. In this case, the workspace becomes the central repository for logs across all resources within the tenant.

    Advantages:

    Disadvantages:

    • May not meet governance requirements.
    • There's a bandwidth cost between regions.
  • Single tenant with regional Log Analytics workspaces.

    Advantages:

    • No cross-region bandwidth costs.
    • May be required to meet governance.
    • Granular data access control.
    • Granular retention settings.
    • Split billing.

    Disadvantages:

    • No central pane of glass.
    • Analytics, workbooks, and other configurations must be deployed multiple times.

For more information, see Design a Log Analytics workspace architecture.

Step 3: Architect the Microsoft Sentinel workspace

Onboarding Microsoft Sentinel requires selecting a Log Analytics workspace. The following are considerations for setting up Log Analytics for Microsoft Sentinel:

  • Create a Security resource group for governance purposes, which allows you to isolate Microsoft Sentinel resources and role-based access to the collection. For more information, see Design a Log Analytics workspace architecture.

  • Create a Log Analytics workspace in the Security resource group and onboard Microsoft Sentinel into it. This automatically gives you 31 days of data ingestion up to 10 Gb a day free as part of a free trial.

  • Set your Log Analytics Workspace supporting Microsoft Sentinel to 90 day retention at a minimum.

Once you onboard Microsoft Sentinel to a Log Analytics workspace, you get 90 days of data retention at no extra cost, and ensure a 90-day rollover of log data. You'll incur costs for the total amount of data in the workspace after 90 days. You might consider retaining log data for longer based on governmental requirements. For more information, see Create Log Analytics workspaces and Quickstart: Onboard in Microsoft Sentinel.

Zero Trust with Microsoft Sentinel

To implement zero-trust architecture, consider extending the workspace to query and analyze your data across workspaces and tenants. Use Sample Microsoft Sentinel workspace designs and Extend Microsoft Sentinel across workspaces and tenants to determine best workspace design for your organization.

In addition, use the Cloud Roles and Operations Management prescriptive guidance and its Excel spreadsheet (download). From this guide, the Zero Trust tasks to consider for Microsoft Sentinel are:

  • Define Microsoft Sentinel RBAC roles with associated Microsoft Entra groups.
  • Validate that implemented access practices to Microsoft Sentinel still meet your organization’s requirements.
  • Consider the use of customer-managed keys.

Zero Trust with RBAC

To comply with Zero Trust, we recommend that you configure Azure RBAC based on the resources that are allowed to your users instead of providing them with access to the entire Microsoft Sentinel environment.

The following table lists some of the Microsoft Sentinel-specific roles.

Role name Description
Microsoft Sentinel Reader View data, incidents, workbooks, and other Microsoft Sentinel resources.
Microsoft Sentinel Responder In addition to the capabilities of the Microsoft Sentinel Reader role, manage incidents (assign, dismiss, etc.). This role is applicable to user types of security analysts.
Microsoft Sentinel Playbook Operator List, view, and manually run playbooks. This role is also applicable to user types of security analysts. This role is for granting a Microsoft Sentinel responder the ability to run Microsoft Sentinel playbooks with the least amount of privilege.
Microsoft Sentinel Contributor In addition to the capabilities of the Microsoft Sentinel Playbook Operator role, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources. This role is applicable to user types of security engineers.
Microsoft Sentinel Automation Contributor Allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts.

When you assign Microsoft Sentinel-specific Azure roles, you might come across other Azure and Log Analytics roles that might have been assigned to users for other purposes. For example, the Log Analytics Contributor and Log Analytics Reader roles grant access to a Log Analytics workspace.

For more information, see Roles and permissions in Microsoft Sentinel and Manage access to Microsoft Sentinel data by resource.

Zero Trust in multitenant architectures with Azure Lighthouse

Azure Lighthouse enables multitenant management with scalability, higher automation, and enhanced governance across resources. With Azure Lighthouse you can manage multiple Microsoft Sentinel instances across Microsoft Entra tenants at scale. Here’s an example.

Diagram of an example use of Azure Lighthouse across multiple Microsoft Entra tenants.

With Azure Lighthouse, you can run queries across multiple workspaces or create workbooks to visualize and monitor data from your connected data sources and gain extra insight. It’s important to consider Zero Trust principles. See Recommended security practices to implement least privileges access controls for Azure Lighthouse.

Consider the following questions when implementing security best practices for Azure Lighthouse:

  • Who is responsible for data ownership?
  • What are the data isolation and compliance requirements?
  • How will you implement least privileges across tenants?
  • How will multiple data connectors in multiple Microsoft Sentinel workspaces be managed?
  • How to monitor office 365 environments?
  • How to protect intellectual properties–for example, playbooks, notebooks, analytics rules–across tenants?

See Manage Microsoft Sentinel workspaces at scale: Granular Azure RBAC for the security best practices of Microsoft Sentinel and Azure Lighthouse.

Onboard your workspace to the unified security operations platform

If you're working with a single workspace, we recommend that you onboard your workspace to the unified security operations platform to view all your Microsoft Sentinel data together with XDR data in the Microsoft Defender portal.

The unified security operations platform also provides improved capabilities, such as automatic attack disruption for SAP system, unified queries from the Defender Advanced hunting page, and unified incidents and entities across both Microsoft Defender and Microsoft Sentinel.

For more information, see:

Training content doesn't currently cover the unified security operations platform.

Introduction to Microsoft Sentinel

Training Introduction to Microsoft Sentinel
Learn how Microsoft Sentinel enables you to start getting valuable security insights from your cloud and on-premises data quickly.

Configure your Microsoft Sentinel environment

Training Configure your Microsoft Sentinel environment
Get started with Microsoft Sentinel by properly configuring the Microsoft Sentinel workspace.

Create and manage Microsoft Sentinel workspaces

Training Create and manage Microsoft Sentinel workspaces
Learn about the architecture of Microsoft Sentinel workspaces to ensure you configure your system to meet your organization's security operations requirements.

Next step

Continue with Step 3 to configure Microsoft Sentinel to ingest data sources and configure incident detection.

Image of Microsoft Sentinel and XDR solution steps with step 3 highlighted

References

Refer to these links to learn about the services and technologies mentioned in this article.

Service area Learn more
Microsoft Sentinel - Quickstart: Onboard in Microsoft Sentinel
- Manage access to Microsoft Sentinel data by resource
Microsoft Sentinel governance - Organize your resources with management groups
- Roles and permissions in Microsoft Sentinel
Log Analytics workspaces - Design a Log Analytics workspace architecture
- Design criteria for Log Analytics workspaces
- Contoso's solution
- Manage access to Log Analytics workspaces - Azure Monitor
- Design a Log Analytics workspace architecture
- Create Log Analytics workspaces
Microsoft Sentinel workspaces and Azure Lighthouse - Manage Microsoft Sentinel workspaces at scale: Granular Azure RBAC
- Recommended security practices