Logging and Alerting in a Hybrid Environment

%3CLINGO-SUB%20id%3D%22lingo-sub-2351788%22%20slang%3D%22en-US%22%3ELogging%20and%20Alerting%20in%20a%20Hybrid%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351788%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20I%20am%20working%20in%20a%20company%20where%20we%20are%20re-vamping%20the%20entire%20concept%20of%20how%20we%20do%20security%2C%20to%20include%20a%20centralized%20SOC%2FCERT%20at%20the%20company%20HQ-level%2C%20who%20are%20responsible%20for%20bringing%20logging%20in%20from%20ALL%20of%20our%20divisions%20and%20subsidiaries%3B%20translating%20those%20events%20into%20a%20common%20operational%20picture%20of%20the%20current%20state%20of%20alerts%20and%20events%20across%20the%20company%3B%20and%20investigating%20alerts%20and%20events%20that%20would%20indicate%20a%20security%20incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20going%20all-in%20on%20establishing%20a%20data%20lake%20where%20these%20events%20would%20be%20coming%20in%2C%20stored%20and%20analyzed.%20Still%20not%20sure%20about%20using%20Sentinel%20or%20going%20another%20route.%20My%20question%20to%20the%20team%20here...is%20there%20a%20definitive%20document%20or%20documents%20from%20MS%20that%20says%2C%20%22these%20are%20the%20minimum%20logs%20you%20would%20want%2Fneed%22%20for%20effective%20monitoring%20of%20a%20hybrid%2C%20on-prem%2C%20multi-cloud%20provider%20environment%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20centralized%2C%20best%20practices%20documents%20or%20series%20of%20would%20be%20ideal!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351826%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20and%20Alerting%20in%20a%20Hybrid%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351826%22%20slang%3D%22en-US%22%3EHello%20Edwin%2C%20%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20is%20not%20a%20single%20document%20with%20this%20info%2C%20by%20I%20hope%20the%20options%20below%20will%20help%20you%3A%3CBR%20%2F%3E%3CBR%20%2F%3ESentinel%20Best%20Practices%20(talks%20about%20some%20logs%20that%20should%20be%20collected%20-%20regardless%20if%20on-prem%20or%20not)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2Fwp-content%2Fuploads%2F2020%2F07%2FAzure-Sentinel-whitepaper.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2Fwp-content%2Fuploads%2F2020%2F07%2FAzure-Sentinel-whitepaper.pdf%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESecurity%20Best%20Practices%3A%20this%20one%20looks%20for%20sec%20best%20practices%20on%20each%20workload%2C%20also%20cover%20logging%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fbest-practices-and-patterns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fbest-practices-and-patterns%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

So, I am working in a company where we are re-vamping the entire concept of how we do security, to include a centralized SOC/CERT at the company HQ-level, who are responsible for bringing logging in from ALL of our divisions and subsidiaries; translating those events into a common operational picture of the current state of alerts and events across the company; and investigating alerts and events that would indicate a security incident.

 

We are going all-in on establishing a data lake where these events would be coming in, stored and analyzed. Still not sure about using Sentinel or going another route. My question to the team here...is there a definitive document or documents from MS that says, "these are the minimum logs you would want/need" for effective monitoring of a hybrid, on-prem, multi-cloud provider environment?

 

A centralized, best practices documents or series of would be ideal!

1 Reply
Hello Edwin,

There is not a single document with this info, by I hope the options below will help you:

Sentinel Best Practices (talks about some logs that should be collected - regardless if on-prem or not)
https://www.microsoft.com/security/blog/wp-content/uploads/2020/07/Azure-Sentinel-whitepaper.pdf

Security Best Practices: this one looks for sec best practices on each workload, also cover logging
https://docs.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns