Brownfield Sentinel implementation

%3CLINGO-SUB%20id%3D%22lingo-sub-2525606%22%20slang%3D%22en-US%22%3EBrownfield%20Sentinel%20implementation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2525606%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wonder%20how%20other%20enterprises%20go%20about%20this.%3C%2FP%3E%3CP%3EWe%20have%20a%20huge%20Log%20Analytics%20Workspace%20that%20stems%20from%20the%20OMS%20days%2C%20so%20it%20holds%20a%20mixture%20of%20security%20and%20non-security%20data.%3C%2FP%3E%3CP%3ESentinel%20implementation%20guidance%20is%20either%20based%20on%20creating%20a%20new%20LAWS%20or%20using%20a%20single%20workspace%20whenever%20possible.%3C%2FP%3E%3CP%3ESo%20this%20would%20be%20our%20single%20workspace%2C%20but%20too%20much%20data%20is%20flowing%20in%2C%20data%20we%20don%E2%80%99t%20need%20in%20Sentinel.%20This%20would%20inflate%20both%20our%20ingestion%20and%20retention%20cost.%3C%2FP%3E%3CP%3EAlso%20way%20too%20many%20people%20have%20access%20to%20this%20data%2C%20especially%20when%20we%20are%20to%20add%20more%20sources%20in%20the%20near%20future.%3C%2FP%3E%3CP%3EWe%20don%E2%80%99t%20want%20multi-homing%20but%20we%20do%20want%20to%20separate%20out%20security%20and%20non-security%20data.%20Also%20reduce%20ingestion%20into%20Sentinel%20wherever%20possible%20of%20unneeded%20data.%3C%2FP%3E%3CP%3EWe%20know%20we%20could%20do%20a%20lot%20by%20table%20level%20RBAC%20or%20resourcebased%20RBAC%20to%20limit%20access.%20Also%2C%20we%20can%20leverage%20table%20level%20retention%20to%20limit%20the%20amount%20of%20data%20we%20need%20to%20keep.%20But%20this%20does%20not%20address%20the%20data%20ingestion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20how%20do%20you%20go%20about%20this%3F%20We%20are%20still%20thinking%20about%20a%20dedicated%20Sentinel%20LAWS%2C%20%26nbsp%3Bbut%20we%20do%20not%20have%20yet%20a%20clear%20view%20on%20the%20data%20flows.%20Needless%20to%20say%20we%20need%20the%20data%20in%20the%20existing%20OMI%20workspace%20for%20other%20purposes%20also.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2528136%22%20slang%3D%22en-US%22%3ERe%3A%20Brownfield%20Sentinel%20implementation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2528136%22%20slang%3D%22en-US%22%3E%22Needless%20to%20say%20we%20need%20the%20data%20in%20the%20existing%20OMI%20workspace%20for%20other%20purposes%20also%22%20If%20you%20can%20separate%20the%20security%20and%20non%20security%20data%20ingestion%20why%20do%20you%20need%20security%20data%20on%20your%20OMI%20workspace%20%3F%20Its%20a%20duplication%20of%20data%20spread%20across%20workspaces.%3CBR%20%2F%3EIngestion%20into%20Sentinel%20enabled%20workspace%20is%20for%20security%20analysis..%20any%20other%20data%20ingestion%20not%20only%20adds%20higher%20cost%20and%20retention%20but%20will%20pose%20lot%20of%20challenges%20like%20Noise%2C%20false%20positives%2C%20query%20performance%20issues%2C%20alerting%20etc..%20mainly%20impacts%20mean%20time%20to%20triage%20%26amp%3B%20incident%20closure.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20is%20good%20to%20Ingest%20what%20is%20needed%20into%20a%20new%20sentinel%20enabled%20workspace%20and%20make%20use%20of%20sentinel%20specific%20RBAC.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2533485%22%20slang%3D%22en-US%22%3ERe%3A%20Brownfield%20Sentinel%20implementation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2533485%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40PrashTechTalk%3C%2FA%3E%26nbsp%3B%20You%20write%20%E2%80%9CIf%20you%20can%20separate%20the%20security%20and%20non-security%20data%E2%80%9D%20-%20If%20I%20could%20I%20certainly%20would%20do%20that%20-%20it%20is%20just%20that%20I%20don%E2%80%99t%20think%20we%20can.%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%2C%20most%2C%20if%20not%20all%2C%20resources%20sending%20data%20to%20the%20workspace%20also%20are%20onboarded%20into%20defender.%20So%20if%20we%20connect%20Defender%20(i.e.%20the%20many%20Defenders%20%3Bp)%20to%20Sentinel%2C%20we%20could%20be%20good%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20we%20need%20to%20do%20a%20thorough%20analysis%20of%20what%20is%20actually%20going%20into%20the%20OMI%20workspace%20first.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2534082%22%20slang%3D%22en-US%22%3ERe%3A%20Brownfield%20Sentinel%20implementation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2534082%22%20slang%3D%22en-US%22%3ECould%20you%20stream%20the%20security%20data%20into%20a%20new%20dedicated%20instance%20for%20Sentinel%20then%20give%20access%20for%20users%20to%20query%20particular%20tables%20across%20workspaces%3F%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fcross-workspace-query%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fcross-workspace-query%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20is%20that%20what%20you%20mean%20by%20avoid%20multi-homing%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

I wonder how other enterprises go about this.

We have a huge Log Analytics Workspace that stems from the OMS days, so it holds a mixture of security and non-security data.

Sentinel implementation guidance is either based on creating a new LAWS or using a single workspace whenever possible.

So this would be our single workspace, but too much data is flowing in, data we don’t need in Sentinel. This would inflate both our ingestion and retention cost.

Also way too many people have access to this data, especially when we are to add more sources in the near future.

We don’t want multi-homing but we do want to separate out security and non-security data. Also reduce ingestion into Sentinel wherever possible of unneeded data.

We know we could do a lot by table level RBAC or resourcebased RBAC to limit access. Also, we can leverage table level retention to limit the amount of data we need to keep. But this does not address the data ingestion.

 

So, how do you go about this? We are still thinking about a dedicated Sentinel LAWS,  but we do not have yet a clear view on the data flows. Needless to say we need the data in the existing OMI workspace for other purposes also.

 

4 Replies
"Needless to say we need the data in the existing OMI workspace for other purposes also" If you can separate the security and non security data ingestion why do you need security data on your OMI workspace ? Its a duplication of data spread across workspaces.
Ingestion into Sentinel enabled workspace is for security analysis.. any other data ingestion not only adds higher cost and retention but will pose lot of challenges like Noise, false positives, query performance issues, alerting etc.. mainly impacts mean time to triage & incident closure.

It is good to Ingest what is needed into a new sentinel enabled workspace and make use of sentinel specific RBAC.

@PrashTechTalk  You write “If you can separate the security and non-security data” - If I could I certainly would do that - it is just that I don’t think we can. 

On the other hand, most, if not all, resources sending data to the workspace also are onboarded into defender. So if we connect Defender (i.e. the many Defenders ;p) to Sentinel, we could be good?

 

I guess we need to do a thorough analysis of what is actually going into the OMI workspace first.

Could you stream the security data into a new dedicated instance for Sentinel then give access for users to query particular tables across workspaces? https://docs.microsoft.com/en-us/azure/azure-monitor/logs/cross-workspace-query

Or is that what you mean by avoid multi-homing?

@m_zorich Yes, I think that is what I mean by avoiding multihoming.

Ideally we would have one workspace for everything (with proper resourcebased or table level acces) but that would incur extra ingestion costs into Sentinel. Also, not all data has the same retention requirements. That would extend our current situation when we would deploy Sentinel on top of the existing OMI workspace.

On the other hand we are trying to find a good way to get only the necessary data into Sentinel, whilst not breaking anything of the current reporting and monitoring.

Preferably not by mutltihoming clients (and not all paas and saas services can even do that), but in some other way. But maybe in a way to select data from the existing workspace into a new one, use the log analytics workspace dataexport functionality, or some other means.

And, as I mentioned in another reply, maybe first thoroughly analyse what is going into the OMI workspace right now, and maybe we can separate at the source in other ways. E.g. when a VM is onboarded in Defender for Endpoint, should it still log to OMI, or is it sufficient to just connect DfE to Sentinel?