“The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics so that you can extract that information.”
Effective security monitoring and analysis require a security information event management solution such as Microsoft Azure Sentinel, but that tool must be configured properly. You can configure data collection and analysis for Azure Sentinel in many ways. Which way you choose depends on your security needs and what is in your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager) is essential for deploying Azure Sentinel.
Before you can deploy Azure Sentinel, you must install the correct monitoring agents on the servers in your environment, whether on-premises servers or virtual servers deployed in the cloud. Microsoft provides monitoring agents for Windows and Linux operating systems, and agents are available that work in Azure, Amazon Web Services, and other providers’ clouds. Microsoft monitoring agents are mandatory for getting log data into the Azure Sentinel analytics workspace.
The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics so that you can extract that information. Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. This determines which data you will collect, which analytical rules you will use, and which automations you will configure.
This is an excerpt from 7 Experts on Implementing Azure Sentinel. This eBook was generously sponsored by BlueVoyant.