Like so many other pieces of software, Microsoft Sentinel ships with decent defaults that probably need to be tweaked a bit before they actually get deployed in a production environment. Most information department staffers are going to want to start the configuration process by setting their own commitment tiers. Transferring data between different Azure containers can quickly use up a great deal of bandwidth, so this step could potentially be even more important than any of those that are directly related to issues of network security.
Once bandwidth issues are out of the way, it’s important to take a look at how the workplace dashboard is set up. Azure’s setup utility will select a different log analytics workspace for Microsoft Sentinel depending on what type of installation it thinks that it’s running on. Single-tenant workplace layouts are going to be best for most situations, since these give IT staffers the freedom to look over all of the relevant details without anything getting lost in the mix. This should also prove helpful when it comes time to visit any hunting queries that might be stored in the Azure database.
Every Sentinel instance will generate a list of incidents and provide them to a human overseer automatically. Always make sure to review the incidents page, even if it seems like a large number of false positives keep coming up. If the information starts to become burdensome, then it might be time to double-check the analytics rule list. Chances are that there are simply too many rules and otherwise legitimate traffic is being logged as potentially harmful.
Join The European Business Briefing
New subscribers this quarter are entered into a draw to win a Rolex Submariner. Join 40,000+ founders, investors and executives who read EBM every day.
SubscribeEach packet going into an Azure installation will get checked against Sentinel’s regulations. Head into the firewall properties sheet and read over the check boxes. Unlike a command line-based utility, such as UFW or BusyBox, Sentinel provides a complete overview of all the regulations set at any given time. Organizations that have physical hardware assets connected to their Azure containers will want to notify Sentinel of their existence so that it doesn’t constantly throw out error messages whenever it pings them.
Disable anything related to remote access if it isn’t immediately needed, because any open port increases a system’s attack surface by at least a small margin. Companies that need to do remote maintenance on a regular basis will want to invest in a managed Microsoft Sentinel package, which will ensure that professionals will be there to keep tabs on their devices at all times. Trained experts can catch many maladies that would otherwise have remained invisible.
Administrators who handle most of their chores through an on-premise basis will also want to create a set of custom bookmarks so that they can review any potential problems instantly. Since Sentinel is part of a cloud-native security information and event management solution, it supports a number of automation features that should make this process at least somewhat easier. Paramount among these is the Kusto Query Language, which is a worthy replacement for tools like Perl or Python when working with Sentinel.
In spite of this, few system operators are going to want to rush to convert every single script they have over to Kusto. Countless Azure containers actually have some kind of Unix-based software installation running inside of them, so scripts made for software that works in these containers should still stay in languages made for that kind of a situation. Objects running outside of it should incorporate Kusto code, especially if they somehow interface with Sentinel. Taking a small amount of time to go over everything sitting in the /sys/bin/ directory now can end up saving a substantial amount of time later on.
