Forum Discussion
Sentinel How to Questions
Thank you for you answers. I have some follow-up questions to some of them.
To Q1: So it is recommended to take the same workspace for both ASC and Sentinel?
To Q4: Maybe i asked in a wrong way. I mean, Microsoft security rules and Fusion rules e.g. (when i want to add them from templates) have no entities shown there. Does that mean that they cant be investigated within investigation graph? Whats the alternative?
To Q7: So that means if i have the same Security Alert in ASC which was feeded into Sentinel, and if i remediate/investigate/respond and then close it in Sentinel, i have to close it also in Security Alert (or vice versa) and there are no recognition that it is the same alert?
So is that correct that the co-working of Sentinel and ASC is less a technical thing but more organizational, so that if I have an investigation of an incident I use ASC separately but as a successor step after investigatnig in Sentinel to maybe prevent for future threats by remediating the recommendations? Or is that not correct?
Best regards,
To Q1: So it is recommended to take the same workspace for both ASC and Sentinel?
---According to the best practices document (link below), it is recommended to have as few workspaces as possible. As mentioned before, it will be charged like any other data coming into Azure Sentinel so there is always going to be a trade-off between the amount of data being ingested and the cost of said data. https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574#:~:text=Best%20practices%20for%20designing%20an%20Azure%20Sentinel%20or,Consider%20%E2%80%9CTable%20Level%E2%80%9D%20retention.%20...%20More%20items...%20
To Q4: Maybe i asked in a wrong way. I mean, Microsoft security rules and Fusion rules e.g. (when i want to add them from templates) have no entities shown there. Does that mean that they cant be investigated within investigation graph? Whats the alternative?
---No, the rules will create the Entities themselves. You will not see the entities or be able to select them since you do not actually see the query like you do with scheduled analytic rules. I personally have a bunch of incidents from MCAS that I can perform investigations on.
To Q7: So that means if i have the same Security Alert in ASC which was feeded into Sentinel, and if i remediate/investigate/respond and then close it in Sentinel, i have to close it also in Security Alert (or vice versa) and there are no recognition that it is the same alert?
---That is correct as it stands right now. Hopefully this will change in the future.
So is that correct that the co-working of Sentinel and ASC is less a technical thing but more organizational, so that if I have an investigation of an incident I use ASC separately but as a successor step after investigatnig in Sentinel to maybe prevent for future threats by remediating the recommendations? Or is that not correct?
---Not quite sure what you mean here. It is true that even though you see an ASC incident in Azure Sentinel, you will most like perform the investigation in ASC since it is setup to investigate its own alerts. You may also need to run queries against data in Azure Sentinel that ASC may not have access to.
Hope this helps.