![]() To implement zero-trust architecture, consider extending the workspace to query and analyze your data across workspaces and tenants. See Quickstart: Onboard in Microsoft Sentinel for more information. You may consider retaining log data for longer based on governmental requirements. Setting it to 90 days ensures a 90-day rollover of log data. You will incur costs for the total amount of data in the workspace after 90 days. Once you onboard Microsoft Sentinel to a Log Analytics workspace, you get 90 days of data retention at no additional cost. Set your Log Analytics Workspace supporting Microsoft Sentinel to 90 day retention at a minimum.This automatically gives you 31 days of data ingestion up to 10 Gb a day free as part of a free trial. Create a Log Analytics workspace in the “Security” resource group and onboard Microsoft Sentinel into it.For more information, see Design a Log Analytics workspace architecture. Create a “Security” resource group for governance purposes, which allows for isolation of Microsoft Sentinel resources and role-based access to the collection.The following are considerations for setting up Log Analytics for Microsoft Sentinel: Onboarding Microsoft Sentinel requires selecting a Log Analytics workspace. To create your Log Analytics workspaces, see Create Log Analytics workspaces. Analytics, workbooks, and other configurations must be deployed multiple times.Single tenant with regional Log Analytics workspaces. There is a bandwidth cost between regions.For more information, see Roles and permissions in Microsoft Sentinel. Microsoft Sentinel RBAC for service RBAC.For more information, see Manage access to Log Analytics workspaces - Azure Monitor. In this case, the workspace becomes the central repository for logs across all resources within the tenant. Single tenant with a single Log Analytics workspace. Log Analytics workspace design considerationsįor a single tenant, there are two ways Microsoft Sentinel workspaces can be configured: For example, if there’s more than one person administering operational and security roles, your first decision for Zero Trust is whether to create separate workspaces for those roles.įor more information, see Design criteria for Log Analytics workspaces.įor an example of separate workspaces for operation and security roles, see Contoso's solution. It is a best practice to create separate workspaces for the operational and security data for data ownership and cost management for Microsoft Sentinel. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements. To use Microsoft Sentinel, the first step is to create your Log Analytics workspaces. The Security Azure subscription and the Microsoft Sentinel workspace inherit the role-based access control (RBAC) and Azure policies that are applied to the Platform management group. ![]() For more information, see Organize your resources with management groups.įor example, the Microsoft Sentinel workspace in the following diagram is in the Security subscription under the Platform management group, which is part of the Microsoft Entra tenant. When you organize your subscriptions within management groups, the governance conditions you configure for a management group apply to the subscriptions it contains. Management groups provide a governance scope for subscriptions. If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. If you are new to Microsoft Sentinel workspaces, see design strategies and criteria in Design a Log Analytics workspace architecture.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |