Mar 05 2021 09:58 PM
Hi Team,
I need assistance with Azure onboarding. So in my organization different team manages azure so they are the owners. I will be only working on Sentinel part. We do have the license which includes Sentinel but I was asked to find out pre-requisite for Sentinel. Based on the documentation I do see dedicated workspace is needed & also need contributor access for that workspace but as I am not the admin & have currently no access to azure so I am just wondering what will be the best option for me to ask the other team member in order to activate Sentinel.
So is it the best option to get temporary admin access of azure so I can create workspace by myself or if I have to give instruction to other team to enable Sentinel then what are the steps I can follow? Any suggestion would be appreciated
Mar 06 2021 06:06 AM
@msef280 You do not necessarily need a dedicated workspace but it is better to use one to avoid excess charges. If your company already has a Log Analytics workspace that it is using, and you want all the data to be in Azure Sentinel, you can use that.
Otherwise, you need to look at all the regions your company will be using and if there will be data produced in those regions that need to go into Azure Sentinel. Take into account the egress charges and determine if it will be better to use one workspace or multiple workspaces. Take a look at this post for more information: Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace - Mi...
Also, keep in mind, that even if you get the rights to create Azure Sentinel, you will need to have either Security Administrator or Global Administrator to setup some of the data connectors. A lot companies will not allow anyone outside of the IT department to have those rights so you will need to work with someone who has them to get everything setup.
I would also take a look at the Azure Sentinel All-in-one deployment, Azure-Sentinel/Tools/Sentinel-All-In-One at master · Azure/Azure-Sentinel (github.com), as a way to get your Azure Sentinel environment started. You can then add the additional data connectors you need later.
Mar 07 2021 12:09 PM
Mar 08 2021 11:42 AM
@msef280 : the challenge is that there is no such thing as a Sentinel license. The cost is based on actual use. As a result, we obviously need someone with the right permissions to onboard Sentinel and essentially approve the charges. Same as for example creating a VM on Azure: it costs, so someone with the right permissions is needed to create it.