Sentinel Lighthouse - Best Practice

Deleted · ‎Apr 21 2021

Hello -

I've begun the testing and development phase of my Azure/Lighthouse deployment.

Currently: Customer A has defender for endpoint configured.

Goal:
Take defender ATP alerts and centrally manage them in the SOC using Azure lighthouse. I would like to manage the endpoint as well, I believe this is a different technology.

I know I will need to deploy Sentinel for myself and for Customer A

I will also need to deploy Azure Lighthouse to connect to the customer environment.

Which should be done first? ( and ) can this be done in one step?

Notes:
I plan to use this Azure-Sentinel/Tools/Sentinel-All-In-One/MSSPversion at master · Azure/Azure-Sentinel · GitHub

But I don't know where I am in the steps from
Extend Azure Sentinel across workspaces and tenants | Microsoft Docs
to
Onboard a customer to Azure Lighthouse - Azure Lighthouse | Microsoft Docs
to
Deploying and Managing Azure Sentinel as Code - Microsoft Tech Community

If someone can give me a
1()
2()
3()

Sort of picture in following documentation, advice, etc.
Greatly appreciated!

THANKS!

Report Inappropriate Content · ‎Apr 21 2021

Update: [ Notes ] Section was added to this thread.

Report Inappropriate Content · ‎Apr 22 2021

bump

Thijs Lecomte · ‎Apr 23 2021

Hi

You don't need a Sentinel resource in your tenant perse. If your internal organization doesn't require Sentinel, you don't need to deploy it.

I would recommend to configure Lighthouse first, then setup Azure Sentinel in the environment of your customer.

To manage Microsoft Defender, you can't use Lighthouse, I would recommend this => https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o36...

Thijs Lecomte · ‎Apr 27 2021

Hi Thijis,

My ( CUSTOMER A- ) tenant, doesn't have access to Identity Governance (seen within the documentation provided) , What is the subscription needed for this?

I'm trying to figure out what Subscription is needed for my clients - I thought I could get away with just supplying standalone Defender for Endpoint licenses.

The business plan will change if there is not a workaround, and a different license is needed.

This was my original question in an earlier post that nobody had replied to:

What subscription is needed within the customer tenant in order for me to deliver an MDR-like service.

Dean Gross · ‎Apr 27 2021

Identity Governance requires Azure AD P2 (which comes with EM+S E5 or M365 E5)

Dean Gross · ‎Apr 27 2021

I see that!
- Last thing I want to do is manage InTune for clients, I'm trying to go for volume with defender agents and cut costs.
I'll have to see what works,
What do most MSSP charge per endpoint? SOCaaS model? Thanks - !

Thijs Lecomte · ‎May 02 2021

Depends on an MSSP. Some charge per user, some per device, some per incident. All depends on your way of working

Thijs Lecomte · ‎May 02 2021

Thanks for all of your help Thijis, I sent you a private message, I can't wait for your response!

Sentinel Lighthouse - Best Practice

Sentinel Lighthouse - Best Practice

Re: Sentinel Lighthouse - Best Practice

RE: Sentinel Lighthouse - Best Practice

RE: Sentinel Lighthouse - Best Practice

RE: Sentinel Lighthouse - Best Practice

RE: Sentinel Lighthouse - Best Practice

RE: Sentinel Lighthouse - Best Practice

RE: Sentinel Lighthouse - Best Practice

RE: Sentinel Lighthouse - Best Practice

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Sentinel Lighthouse - Best Practice