Step 2. Architect your Microsoft Sentinel workspace
Deploying the Microsoft Sentinel environment involves designing a workspace configuration to meet your security and compliance requirements. The provisioning process includes creating Log Analytics workspaces and configuring the appropriate Microsoft Sentinel options.
This article provides recommendations on how to design and implement Microsoft Sentinel workspaces for the principles of Zero Trust.
Note
If you are new to Microsoft Sentinel workspaces, see design strategies and criteria in Design a Log Analytics workspace architecture.
Step 1: Design a governance strategy
If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope for subscriptions. When you organize your subscriptions within management groups, the governance conditions you configure for a management group apply to the subscriptions it contains. For more information, see Organize your resources with management groups.
For example, the Microsoft Sentinel workspace in the following diagram is in the Security subscription under the Platform management group, which is part of the Microsoft Entra tenant.
The Security Azure subscription and the Microsoft Sentinel workspace inherit the role-based access control (RBAC) and Azure policies that are applied to the Platform management group.
Step 2: Create Log Analytics workspaces
To use Microsoft Sentinel, the first step is to create your Log Analytics workspaces. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements.
It is a best practice to create separate workspaces for the operational and security data for data ownership and cost management for Microsoft Sentinel. For example, if there’s more than one person administering operational and security roles, your first decision for Zero Trust is whether to create separate workspaces for those roles.
For more information, see Design criteria for Log Analytics workspaces.
For an example of separate workspaces for operation and security roles, see Contoso's solution.
Log Analytics workspace design considerations
For a single tenant, there are two ways Microsoft Sentinel workspaces can be configured:
Single tenant with a single Log Analytics workspace. In this case, the workspace becomes the central repository for logs across all resources within the tenant.
Advantages:
- Central consolidation of logs.
- Easier to query information.
- Log Analytics RBAC to control access. For more information, see Manage access to Log Analytics workspaces - Azure Monitor.
- Microsoft Sentinel RBAC for service RBAC. For more information, see Roles and permissions in Microsoft Sentinel.
Disadvantages:
- May not meet governance requirements.
- There is a bandwidth cost between regions.
Single tenant with regional Log Analytics workspaces.
Advantages:
- No cross-region bandwidth costs.
- May be required to meet governance.
- Granular data access control.
- Granular retention settings.
- Split billing.
Disadvantages:
- No central pane of glass.
- Analytics, workbooks, and other configurations must be deployed multiple times.
To create your Log Analytics workspaces, see Create Log Analytics workspaces.
Step 3: Architect the Sentinel Workspace
Onboarding Microsoft Sentinel requires selecting a Log Analytics workspace. The following are considerations for setting up Log Analytics for Microsoft Sentinel:
- Create a “Security” resource group for governance purposes, which allows for isolation of Microsoft Sentinel resources and role-based access to the collection. For more information, see Design a Log Analytics workspace architecture.
- Create a Log Analytics workspace in the “Security” resource group and onboard Microsoft Sentinel into it. This automatically gives you 31 days of data ingestion up to 10 Gb a day free as part of a free trial.
- Set your Log Analytics Workspace supporting Microsoft Sentinel to 90 day retention at a minimum.
Once you onboard Microsoft Sentinel to a Log Analytics workspace, you get 90 days of data retention at no additional cost. You will incur costs for the total amount of data in the workspace after 90 days. Setting it to 90 days ensures a 90-day rollover of log data. You may consider retaining log data for longer based on governmental requirements. See Quickstart: Onboard in Microsoft Sentinel for more information.
Zero Trust with Microsoft Sentinel
To implement zero-trust architecture, consider extending the workspace to query and analyze your data across workspaces and tenants. Use Sample Microsoft Sentinel workspace designs and Extend Microsoft Sentinel across workspaces and tenants to determine best workspace design for your organization.
In addition, use the Cloud Roles and Operations Management prescriptive guidance and its Excel spreadsheet (download). From this guide, the Zero Trust tasks to consider for Microsoft Sentinel are:
- Define Microsoft Sentinel RBAC roles with associated Microsoft Entra groups.
- Validate that implemented access practices to Microsoft Sentinel still meet your organization’s requirements.
- Consider the use of customer-managed keys.
Zero Trust with RBAC
To comply with Zero Trust, we recommend that you configure RBAC based on the resources that are allowed to your users instead of providing them with access to the entire Microsoft Sentinel environment. The following table lists some of the Microsoft Sentinel-specific roles.
| Role name | Description |
|---|---|
| Microsoft Sentinel Reader | View data, incidents, workbooks, and other Microsoft Sentinel resources. |
| Microsoft Sentinel Responder | In addition to the capabilities of the Microsoft Sentinel Reader role, manage incidents (assign, dismiss, etc.). This role is applicable to user types of security analysts. |
| Microsoft Sentinel Playbook Operator | List, view, and manually run playbooks. This role is also applicable to user types of security analysts. This role is for granting a Microsoft Sentinel responder the ability to run Microsoft Sentinel playbooks with the least amount of privilege. |
| Microsoft Sentinel Contributor | In addition to the capabilities of the Microsoft Sentinel Playbook Operator role, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources. This role is applicable to user types of security engineers. |
| Microsoft Sentinel Automation Contributor | Allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts. |
When you assign Microsoft Sentinel-specific Azure roles, you may come across other Azure and Log Analytics roles that may have been assigned to users for other purposes. For example, the Log Analytics Contributor and Log Analytics Reader roles grant access to a Log Analytics workspace. To implement RBAC for a Microsoft Sentinel workspace, see Roles and permissions in Microsoft Sentinel and Manage access to Microsoft Sentinel data by resource.
Zero Trust in Multi-Tenant Architecture with Azure Lighthouse
Azure Lighthouse enables multi-tenant management with scalability, higher automation, and enhanced governance across resources. With Azure Lighthouse you can manage multiple Microsoft Sentinel instances across Microsoft Entra tenants at scale. Here’s an example.
With Azure Lighthouse, you can run queries across multiple workspaces or create workbooks to visualize and monitor data from your connected data sources and gain additional insight. It’s important to consider Zero Trust principles. See Recommended security practices to implement least privileges access controls for Azure Lighthouse.
Consider the following questions when implementing security best practices for Azure Lighthouse:
- Who is responsible for data ownership?
- What are the data isolation and compliance requirements?
- How to implement least privileges across tenants.
- How will multiple data connectors in multiple Microsoft Sentinel workspaces be managed?
- How to monitor office 365 environments?
- How to protect intellectual properties–for example, playbooks, notebooks, analytics rules–across tenants?
See Manage Microsoft Sentinel workspaces at scale: Granular Azure RBAC for the security best practices of Microsoft Sentinel and Azure Lighthouse.
Recommended training
The following are the recommended training modules for this step.
Introduction to Microsoft Sentinel
| Training | Introduction to Microsoft Sentinel |
|---|---|
|
Learn how Microsoft Sentinel enables you to start getting valuable security insights from your cloud and on-premises data quickly. |
Configure your Microsoft Sentinel environment
| Training | Configure your Microsoft Sentinel environment |
|---|---|
|
Get started with Microsoft Sentinel by properly configuring the Microsoft Sentinel workspace. |
Create and manage Microsoft Sentinel workspaces
| Training | Create and manage Microsoft Sentinel workspaces |
|---|---|
|
Learn about the architecture of Microsoft Sentinel workspaces to ensure you configure your system to meet your organization's security operations requirements. |
Next step
Continue with Step 3 to configure Microsoft Sentinel to ingest data sources and configure incident detection.
References
Refer to these links to learn about the services and technologies mentioned in this article.
Microsoft Sentinel:
Microsoft Sentinel governance:
Log Analytics workspaces:
- Design a Log Analytics workspace architecture
- Design criteria for Log Analytics workspaces
- Contoso's solution
- Manage access to Log Analytics workspaces - Azure Monitor
- Design a Log Analytics workspace architecture
- Create Log Analytics workspaces
Microsoft Sentinel workspaces and Azure Lighthouse:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for