Skip to content

WA SOC Microsoft Sentinel Guidance

The below guide has been developed by the WASOC to expedite a SIEM implementation with Microsoft Sentinel focused on improving operational efficiency and better threat detection.

1. Sentinel Deployment Notes

It is recommended to deploy Microsoft Sentinel in the Australia East region following the Deployment guide for Microsoft Sentinel

2. Telemetry to collect (prioritised)

Below is a rapid approach to get Microsoft workloads covered rapidly using Sentinel.

  1. Turn on auditing and health monitoring
  2. Enable User and Entity Behavior Analytics (UEBA)
  3. Microsoft 365 Defender XDR connector
    1. Microsoft Defender for Office 365
    2. Microsoft Defender for Identity
    3. Microsoft Defender for Endpoint (including Attack Surface Reduction)
    4. Connect Microsoft Defender for Cloud (servers)
  4. Microsoft Entra ID which includes Entra External ID (CIAM & B2B)

Steps 1-3 should be straightforward to complete under E5/A5 licencing. Once telemetry is being collected, the Maturity Model For Event Log Management solution adds the capability to detect changes in telemetry quality over time (which supports Secure Configuration Assessment of the SIEM environment itself).

2.1. SIEM Retention for threat hunting and investigations

Configuring retention for 12 months is recommended to ensure logs are available for investigations and threat hunting. For high volume telemetry sources, streaming events to object storage and using lifecycle management to retain for 365 days is a validated alternative that can be queried in place with tools like DuckDB to Azure Blob storage (also supports Amazon Security Lake via S3 API), Azure Data Explorer and Amazon Athena.

Simplify telemetry collection

Moving Configuration Manager to Intune, Fileshares to SharePoint and Identities from Active Directory to Entra are highly effective ways to improve security visibility while also reducing telemetry volume from self-managed platforms and servers.

3. Third party solutions (Telemetry re-ingestion)

Log Analytics Auxilary plan (preview)

The low cost Auxiliary plan is now available in public preview on data collection rule-based custom tables you create using the Tables - Create Or Update API, which is suitable for retention of third party log sources.

Deploy domain solutions with ASIM analytic rules and connect associated telemetry for relevant products. Note for large environments this can be costly, so moving to incident synchronisation only may be more effective (see next section). Deploying the ASIM Parsers directly also makes developing and managing telemetry agnostic detection rules much easier.

4. Third party integrations (Incident synchronisation only)

Create incidents based on events from systems whose logs are not ingested into Microsoft Sentinel.

The above guide supports the below incident creation flows from third party systems:

Ensuring that integrations include severity, classification and mitre tactic / technique attributes helps the WASOC triage and prioritise incidents. Additionally incidents with similar subjects or identifiers should be grouped if possible (a good rule of thumb is if something is triggering more than 4 times a day it should be grouped into hourly or larger aggregated incidents).

5. Optimise security operations

The Microsoft SOC Optimisations page aims to empower security teams by providing invaluable insights into your Microsoft Sentinel environment and offering recommendations to enhance cost efficiency, operational effectiveness, and overall management overview. The WASOC also offers an addtional cost reduction service through the dedicated cluster initative.