WA SOC Microsoft Sentinel Guidance

The below guide has been developed by the WASOC to expedite a SIEM implementation with Microsoft Sentinel to align to best align to the better threat detection.

1. Sentinel Deployment Notes

It is recommended to deploy Microsoft Sentinel in the Australia East region following the Deployment guide for Microsoft Sentinel

2. Telemetry to collect (prioritised)

Below is a rapid approach to get Microsoft workloads covered rapidly using Sentinel.

1. Turn on auditing and health monitoring
2. Enable User and Entity Behavior Analytics (UEBA)
3. Microsoft 365 Defender XDR connector
   1. Microsoft Defender for Office 365
   2. Microsoft Defender for Identity
   3. Microsoft Defender for Endpoint (including Attack Surface Reduction)
   4. Connect Microsoft Defender for Cloud (servers)
4. Microsoft Entra ID (formerley AAD)

Steps 1-3 should be straightforward to complete under E5/A5 licencing. Once telemetry is being collected, the Maturity Model For Event Log Management solution adds the capability to detect changes in telemetry quality over time (which supports Secure Configuration Assessment of the SIEM environment itself).

3. Third party solutions (Telemetry re-ingestion)

Deploy domain solutions with ASIM analytic rules and connect associated telemetry for relevant products. Note for large environments this can be costly, so moving to incident synchronisation only may be more effective (see next section). Deploying the ASIM Parsers directly also makes developing and managing telemetry agnostic detection rules much easier.

• Endpoint Threat Protection Essentials
• Security Threat Essentials
• DNS Essentials Solution
• Web Session Essentials
• Network Session Essentials

4. Third party integrations (Incident synchronisation only)

Create incidents based on events from systems whose logs are not ingested into Microsoft Sentinel.

The above guide supports the below incident creation flows from third party systems:

• Create an incident using Azure Logic Apps
  • Create Incidents with Email
  • Create Incidents from Webhook (HTTP)
• Create an incident using the Microsoft Sentinel API

Ensuring that integrations include severity, classification and mitre tactic / technique attributes helps the WASOC triage and prioritise incidents. Additionally incidents with similar subjects or identifiers should be grouped if possible (a good rule of thumb is if something is triggering more than 4 times a day it should be grouped into hourly or larger aggregated incidents).

5. Performance and cost optimisation

The Microsoft Sentinel Optimization Workbook aims to empower security teams by providing invaluable insights into your Microsoft Sentinel environment and offering recommendations to enhance cost efficiency, operational effectiveness, and overall management overview. The WASOC also offers an addtional cost reduction service through the dedicated cluster initative.