Blog Post

Microsoft Sentinel Blog
1 MIN READ

Update to Microsoft Sentinel’s Technical Playbook for MSSPs is now available (v1.5.1)

Didier_Danloy's avatar
Didier_Danloy
Brass Contributor
Nov 07, 2022

Special thanks: MargaretMwaura GBushey edilahav Javier-Soriano Nayef_Yassin JeremyTan for all the content and reviews you contributed.

 

Today, we are announcing version 1.5.1 of the MSSP playbook. The technical playbook provides guidance in deploying and managing Microsoft Sentinel with a focus on MSSP or large organizations and institutions who operate security operations within environments requiring multi-tenant architectures. The playbook addresses topics like efficient customer onboarding, scaling SOC operations, managing the MSSP intellectual property, accessing the customer’s workspaces/environments and optimizing system administration costs. Since the last version, there have been some significant feature updates to Microsoft Sentinel that need to be included in the playbook. Some of these updates in this version include:

  • Repositories to deploy custom content
  • Codeless connector platform
  • Ingestion time transformation
  • Normalization and ASIM
  • Sentinel health
  • New long term storage using Archive
  • Search and Restore for Archived logs
  • Basic logs tier

To download the latest updates to the MSSP playbook version click here https://aka.ms/mssentinelmssp.

Updated Nov 07, 2022
Version 2.0
Azure DevOps
best practices
playbooks
siem
what's new
Didier_Danloy's avatar
Brass Contributor
Joined August 19, 2017
View Profile
Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

6 Comments

Sort By
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Oct 26, 2023

    I had to change the Workbook name to get it through the GitHub approval process (not sure why, but support dealt with it), hopefully one of the article authors can correct this?
    Javier-Soriano 

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Oct 26, 2023

    I had to change the Workbook name to get it through the GitHub approval process (not sure why, but support dealt with it), hopefully one of the article authors can correct this?
    Javier-Soriano 

  • Paul_Sells's avatar
    Paul_Sells
    Copper Contributor
    Oct 25, 2023

    Hi,

    Thanks to all involved for producing what is an exceptionally useful playbook!! I'm looking forward to the next iteration!

     

    Just one typo to feedback, on page 28. Connector types, you've listed Microsoft Defender for Cloud as one of the alert sources for the Microsoft 365 Defender connector (see below). 

     

    Page 28. Connector Types

    • Microsoft 365 Defender used to collect alerts from Microsoft Defender for Cloud, Microsoft 365

      Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps. This is a feature rich connector which will also allow for raw data (as well as events or alerts) to be ingested if required and configured. This option enables additional threat hunting, correlation, applied threat intelligence, and advanced machine learning algorithms. The data can also be sent to the security data warehouse (ADX) for long- term data retentions. This could occur at the same time as sending to the SIEM, or it can be sent there after the SIEM has expired the data

  • Kris_Deb_e2e's avatar
    Kris_Deb_e2e
    Steel Contributor
    Jun 05, 2023

    Hi, I wanted to thank you for this playbook, it's extremely helpful and the value is outstanding. Are there any updates planned? No rush of course, just asking 🙂