Sentinel Lighthouse - Best Practice

%3CLINGO-SUB%20id%3D%22lingo-sub-2280180%22%20slang%3D%22en-US%22%3ESentinel%20Lighthouse%20-%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280180%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20-%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20begun%20the%20testing%20and%20development%20phase%20of%20my%20Azure%2FLighthouse%20deployment.%3C%2FP%3E%3CP%3ECurrently%3A%20%3CEM%3ECustomer%20A%26nbsp%3B%3C%2FEM%3Ehas%20defender%20for%20endpoint%20configured.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGoal%3A%3CBR%20%2F%3ETake%20defender%20ATP%20alerts%20and%20centrally%20manage%20them%20in%20the%20SOC%20using%20Azure%20lighthouse.%20I%20would%20like%20to%20manage%20the%20endpoint%20as%20well%2C%20I%20believe%20this%20is%20a%20different%20technology.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20I%20will%20need%20to%20deploy%20Sentinel%20for%20myself%20and%20for%26nbsp%3B%3CEM%3ECustomer%20A%3C%2FEM%3E%3C%2FP%3E%3CP%3EI%20will%20also%20need%20to%20deploy%20Azure%20Lighthouse%20to%20connect%20to%20the%20customer%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EWhich%20should%20be%20done%20first%3F%20(%20and%20)%20can%20this%20be%20done%20in%20one%20step%3F%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ENotes%3A%3CBR%20%2F%3EI%20plan%20to%20use%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FTools%2FSentinel-All-In-One%2FMSSPversion%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel%2FTools%2FSentinel-All-In-One%2FMSSPversion%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20%C2%B7%20GitHub%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20I%20don't%20know%20where%20I%20am%20in%20the%20steps%20from%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fextend-sentinel-across-workspaces-tenants%23the-need-to-use-multiple-azure-sentinel-workspaces%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EExtend%20Azure%20Sentinel%20across%20workspaces%20and%20tenants%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CBR%20%2F%3Eto%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fhow-to%2Fonboard-customer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOnboard%20a%20customer%20to%20Azure%20Lighthouse%20-%20Azure%20Lighthouse%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CBR%20%2F%3Eto%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fdeploying-and-managing-azure-sentinel-as-code%2Fba-p%2F1131928%22%20target%3D%22_blank%22%3EDeploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20someone%20can%20give%20me%20a%26nbsp%3B%3CBR%20%2F%3E1()%3CBR%20%2F%3E2()%3CBR%20%2F%3E3()%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESort%20of%20picture%20in%20following%20documentation%2C%20advice%2C%20etc.%3CBR%20%2F%3EGreatly%20appreciated!%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ETHANKS!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282541%22%20slang%3D%22en-US%22%3ERE%3A%20Sentinel%20Lighthouse%20-%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282541%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20don't%20need%20a%20Sentinel%20resource%20in%20your%20tenant%20perse.%20If%20your%20internal%20organization%20doesn't%20require%20Sentinel%2C%20you%20don't%20need%20to%20deploy%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20recommend%20to%20configure%20Lighthouse%20first%2C%20then%20setup%20Azure%20Sentinel%20in%20the%20environment%20of%20your%20customer.%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20manage%20Microsoft%20Defender%2C%20you%20can't%20use%20Lighthouse%2C%20I%20would%20recommend%20this%20%3D%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fgrant-mssp-access%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fgrant-mssp-access%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2281420%22%20slang%3D%22en-US%22%3ERE%3A%20Sentinel%20Lighthouse%20-%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281420%22%20slang%3D%22en-US%22%3Ebump%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280216%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20Lighthouse%20-%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280216%22%20slang%3D%22en-US%22%3EUpdate%3A%20%5B%20Notes%20%5D%20Section%20was%20added%20to%20this%20thread.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2297970%22%20slang%3D%22en-US%22%3ERE%3A%20Sentinel%20Lighthouse%20-%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2297970%22%20slang%3D%22en-US%22%3EHi%20Thijis%2C%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20(%20CUSTOMER%20A-%20)%20tenant%2C%20doesn't%20have%20access%20to%20Identity%20Governance%20(seen%20within%20the%20documentation%20provided)%20%2C%20What%20is%20the%20subscription%20needed%20for%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20trying%20to%20figure%20out%20what%20Subscription%20is%20needed%20for%20my%20clients%20-%20I%20thought%20I%20could%20get%20away%20with%20just%20supplying%20standalone%20Defender%20for%20Endpoint%20licenses.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20business%20plan%20will%20change%20if%20there%20is%20not%20a%20workaround%2C%20and%20a%20different%20license%20is%20needed.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20was%20my%20original%20question%20in%20an%20earlier%20post%20that%20nobody%20had%20replied%20to%3A%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20subscription%20is%20needed%20within%20the%20customer%20tenant%20in%20order%20for%20me%20to%20deliver%20an%20MDR-like%20service.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2299246%22%20slang%3D%22en-US%22%3ERE%3A%20Sentinel%20Lighthouse%20-%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2299246%22%20slang%3D%22en-US%22%3EIdentity%20Governance%20requires%20Azure%20AD%20P2%20(which%20comes%20with%20EM%2BS%20E5%20or%20M365%20E5)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2300156%22%20slang%3D%22en-US%22%3ERE%3A%20Sentinel%20Lighthouse%20-%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2300156%22%20slang%3D%22en-US%22%3EI%20see%20that!%3CBR%20%2F%3E-%20Last%20thing%20I%20want%20to%20do%20is%20manage%20InTune%20for%20clients%2C%20I'm%20trying%20to%20go%20for%20volume%20with%20defender%20agents%20and%20cut%20costs.%3CBR%20%2F%3EI'll%20have%20to%20see%20what%20works%2C%3CBR%20%2F%3EWhat%20do%20most%20MSSP%20charge%20per%20endpoint%3F%20SOCaaS%20model%3F%20Thanks%20-%20!%3C%2FLINGO-BODY%3E
Contributor

Hello - 

 

I've begun the testing and development phase of my Azure/Lighthouse deployment.

Currently: Customer A has defender for endpoint configured.

 

Goal:
Take defender ATP alerts and centrally manage them in the SOC using Azure lighthouse. I would like to manage the endpoint as well, I believe this is a different technology.

 

I know I will need to deploy Sentinel for myself and for Customer A

I will also need to deploy Azure Lighthouse to connect to the customer environment.

 

Which should be done first? ( and ) can this be done in one step?


Notes:
I plan to use this Azure-Sentinel/Tools/Sentinel-All-In-One/MSSPversion at master · Azure/Azure-Sentinel · GitHub

But I don't know where I am in the steps from 
Extend Azure Sentinel across workspaces and tenants | Microsoft Docs
to
Onboard a customer to Azure Lighthouse - Azure Lighthouse | Microsoft Docs
to
Deploying and Managing Azure Sentinel as Code - Microsoft Tech Community

If someone can give me a 
1()
2()
3() 

Sort of picture in following documentation, advice, etc.
Greatly appreciated!



THANKS!

8 Replies
Update: [ Notes ] Section was added to this thread.
bump
Hi

You don't need a Sentinel resource in your tenant perse. If your internal organization doesn't require Sentinel, you don't need to deploy it.

I would recommend to configure Lighthouse first, then setup Azure Sentinel in the environment of your customer.

To manage Microsoft Defender, you can't use Lighthouse, I would recommend this => https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o36...
Hi Thijis,

My ( CUSTOMER A- ) tenant, doesn't have access to Identity Governance (seen within the documentation provided) , What is the subscription needed for this?

I'm trying to figure out what Subscription is needed for my clients - I thought I could get away with just supplying standalone Defender for Endpoint licenses.

The business plan will change if there is not a workaround, and a different license is needed.

This was my original question in an earlier post that nobody had replied to:

What subscription is needed within the customer tenant in order for me to deliver an MDR-like service.
Identity Governance requires Azure AD P2 (which comes with EM+S E5 or M365 E5)
I see that!
- Last thing I want to do is manage InTune for clients, I'm trying to go for volume with defender agents and cut costs.
I'll have to see what works,
What do most MSSP charge per endpoint? SOCaaS model? Thanks - !
Depends on an MSSP. Some charge per user, some per device, some per incident. All depends on your way of working
Thanks for all of your help Thijis, I sent you a private message, I can't wait for your response!