Mastering Microsoft Sentinel Workspaces: A Step-by-Step Guide for Optimal Security and Cost Efficiency

February 28, 2023

🔥Mastering Microsoft Sentinel Workspaces: A Step-by-Step Guide for Optimal Security and Cost Efficiency🔥

Choosing the right configuration for your Sentinel workspace is crucial to ensure cost-efficiency, data compliance, and seamless operations.

📝Here’s our guide:

📌Step 1: New or Existing Workspace?
Determine if you have an existing workspace that you can use for Microsoft Sentinel. If not, you’ll need to create a new workspace.
If you have an existing workspace, consider how much data you’ll be ingesting. If it’s more than 100 GB/day, we recommend using a separate workspace for cost efficiency.

📌Step 2: Data Geographies
If you have regulatory requirements to keep data in different Azure geographies, use a separate workspace for each Azure region that has compliance requirements.
If you don’t have any such requirement, continue with step 3.

📌Step 3: Multiple Azure Tenants
If you have only a single Azure tenant, proceed directly to step 4.
If you have multiple tenants, use a separate Microsoft Sentinel workspace for each Azure AD tenant if you’re collecting tenant-specific logs like Office 365 or Microsoft 365 Defender logs.
If you don’t have any tenant-specific logs, proceed to step 4.

📌Step 4: Billing and Chargeback
If you need to split your billing or charge-back, consider whether usage reporting or manual cross-charge works for you. If not, use a separate Microsoft Sentinel workspace for each cost owner.

📌Step 5: SOC vs. Non-SOC Data
If you’re not collecting any non-SOC data, skip to step 6.
If you’re collecting non-SOC data, consider whether there are overlaps. If there are overlaps between SOC and non-SOC data, treat the overlapping data as SOC data only. If ingestion for both SOC and non-SOC data combined is more than 100 GB/day, use separate workspaces.

📌Step 6: Multiple Regions
If you’re collecting logs from Azure VMs in a single region, proceed directly to step 7.
If you’re collecting logs from Azure VMs in multiple regions, consider the data egress cost. If it’s a concern, use a separate workspace for each region. Otherwise, use a single workspace.

📌Step 7: Segregating Data
If you need to segregate data or define ownership boundaries, determine if each data owner needs access to the Microsoft Sentinel portal. If yes, use a separate workspace for each owner.
If access to the logs via Log Analytics is sufficient, proceed to step 8.

📌Step 8: Data Access Control
If you need to control data access by source or table, consider using resource-context RBAC if you need to control access at the row level or for custom data sources/tables. Otherwise, use a single workspace with table-level RBAC for data access control.

Want to learn more? 💡
🔗MS Docs: https://lnkd.in/ewd2-XZj
🔗Blog: https://secsentinel.com

Cybersecurity

Take Control of Your Azure Environment: Azure AD PIM for Groups and Role-Assignable Groups

🔥Take Control of Your Azure Environment: Azure AD PIM for Groups and Role-Assignable Groups🔥 📝Privileged Identity Management (PIM) for Groups (preview) 📌With Azure Active Directory

08/03/2023

Defender for Cloud

Revolutionise Your Cloud Management with Azure Arc: 7 Reasons to Switch Today

🔥Revolutionise Your Cloud Management with Azure Arc: 7 Reasons to Switch Today🔥 As a security professional aiming to manage your organisation’s cloud environment, it’s essential

01/03/2023

Microsoft Sentinel

Beyond 90 Days: Exploring Long-Term Storage Options for Microsoft Sentinel Logs

🔎Beyond 90 Days: Exploring Long-Term Storage Options for Microsoft Sentinel Logs🔎 As a MSSP, you may find that the default 90-day free retention period for

24/02/2023