Forum Discussion

Deleted's avatar
Deleted
Apr 21, 2021

Sentinel Lighthouse - Best Practice

Hello - 

 

I've begun the testing and development phase of my Azure/Lighthouse deployment.

Currently: Customer A has defender for endpoint configured.

 

Goal:
Take defender ATP alerts and centrally manage them in the SOC using Azure lighthouse. I would like to manage the endpoint as well, I believe this is a different technology.

 

I know I will need to deploy Sentinel for myself and for Customer A

I will also need to deploy Azure Lighthouse to connect to the customer environment.

 

Which should be done first? ( and ) can this be done in one step?


Notes:
I plan to use this https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Sentinel-All-In-One/MSSPversion

But I don't know where I am in the steps from 
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#the-need-to-use-multiple-azure-sentinel-workspaces
to
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer
to
Deploying and Managing Azure Sentinel as Code - Microsoft Tech Community

If someone can give me a 
1()
2()
3() 

Sort of picture in following documentation, advice, etc.
Greatly appreciated!



THANKS!

8 Replies

    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      Apr 23, 2021
      Hi

      You don't need a Sentinel resource in your tenant perse. If your internal organization doesn't require Sentinel, you don't need to deploy it.

      I would recommend to configure Lighthouse first, then setup Azure Sentinel in the environment of your customer.

      To manage Microsoft Defender, you can't use Lighthouse, I would recommend this => https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-worldwide
      • Deleted's avatar
        Deleted
        Apr 27, 2021
        Hi Thijis,

        My ( CUSTOMER A- ) tenant, doesn't have access to Identity Governance (seen within the documentation provided) , What is the subscription needed for this?

        I'm trying to figure out what Subscription is needed for my clients - I thought I could get away with just supplying standalone Defender for Endpoint licenses.

        The business plan will change if there is not a workaround, and a different license is needed.

        This was my original question in an earlier post that nobody had replied to:

        What subscription is needed within the customer tenant in order for me to deliver an MDR-like service.
  • Deleted's avatar
    Deleted
    Apr 21, 2021
    Update: [ Notes ] Section was added to this thread.

Resources