Section 9 – Mitigate threats using Microsoft Sentinel – Design and configure a Microsoft Sentinel workspace

We are already at the 9th section on my study guide and this time we will start with Sentinel.

First I want to point the Ninja training that Ofer Shezaf’s and him team has made for you. It was updated last in February 2023 and it’s an excellent collection of study materials for you all!

Seeing how to plan a workplace and roles for it. Also where to store data and how to implement content hub and use other resources.

So, once again, let’s get going!

Plan a Microsoft Sentinel workspace

Designing is one key element for Sentinel, here some things you should consider when doing your design.

Microsoft has this excellent page for different parts and even workflow to visualize your design choices

Tenant and workspace

While having fewer workplaces makes management easier, you may have special requirements for many tenants and workspaces. Many enterprises, for example, have a cloud infrastructure with several Azure Active Directory (Azure AD) tenants as a consequence of mergers and acquisitions or identity separation needs.

Consider how many tenants and workspaces to employ while considering how many tenants and workspaces to utilize. Most Microsoft Sentinel capabilities run on a single workspace or Microsoft Sentinel instance, and Microsoft Sentinel ingests all logs held within the workspace.

It’s possible that not all the connectors can be connected to a workspace that is not located in the same tenant where the resource resides.

When you are designing a Sentinel workplace, you should use one Workspace for each tenant, geo-location and subsidiary.

See here for a table from Microsoft on the considerations

RequirementDescriptionWays to reduce workspace count
Sovereignty and regulatory complianceA workspace is tied to a specific region. To keep data in different Azure geographies to satisfy regulatory requirements, split up the data into separate workspaces.
Data ownershipThe boundaries of data ownership, for example by subsidiaries or affiliated companies, are better delineated using separate workspaces.
Multiple Azure tenantsMicrosoft Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore, each Azure AD tenant requires a separate workspace.
Granular data access controlAn organization may need to allow different groups, within or outside the organization, to access some of the data collected by Microsoft Sentinel. For example:
Resource owners’ access to data pertaining to their resourcesRegional or subsidiary SOCs’ access to data relevant to their parts of the organization
Use resource Azure RBAC or table level Azure RBAC
Granular retention settingsHistorically, multiple workspaces were the only way to set different retention periods for different data types. This is no longer needed in many cases, thanks to the introduction of table level retention settings.Use table level retention settings or automate [data deletion](Managing personal data in Log Analytics and Application Insights
Split billingBy placing workspaces in separate subscriptions, they can be billed to different parties.Usage reporting and cross-charging
Legacy architectureThe use of multiple workspaces may stem from a historical design that took into consideration limitations or best practices which don’t hold true anymore. It might also be an arbitrary design choice that can be modified to better accommodate Microsoft Sentinel.

Examples include:
Using a per-subscription default workspace when deploying Microsoft Defender for CloudThe need for granular access control or retention settings, the solutions for which are relatively new
Re-architect workspaces

And here for sample design to give you can idea what you should consider.

Data residency

Residency is always important when validating designs for Cloud services.

  • Sentinel can run on workspaces in nearly any place where Log Analytics is widely accessible.
  • It may take some time for regions where Log Analytics is new to onboard the Microsoft Sentinel service.
  • Microsoft Sentinel keeps client data in the same geographical location as the Log Analytics workspace that is linked with Microsoft Sentinel.
  • Microsoft Sentinel handles client data in one of two places:
  • Customer data is processed in Europe if the Log Analytics workspace is situated there.
  • Customer data is processed in the United States for all other regions.

Azure Lighthouse

Lighthouse is an excellent solution for MSSPS as they provide cybersecurity monitoring and management for multiple clients.

Some benefits for Lighthouse integration are:

  • Cross tenant queries
  • Cross tenant workbooks
  • Cross tenant incident screen
  • Cross tenant automation
  • Cross tenant analytics rules

See more from Learn on Azure Lighthouse onboarding

And more on the workspace design from Microsoft

Workspace manager (preview)

And if you have those multiple workspaces, see the new Workspace manager. With workspace manager, you may manage several Microsoft Sentinel workplaces inside one or more Azure tenants.

What is needed?

  • At least two Microsoft Sentinel workplaces are required. One workspace to manage and at least one additional workspace to manage.
  • The Microsoft Sentinel Contributor role must be assigned on both the central workspace (when workspace manager is enabled) and the member workspace(s) that the contributor must manage.
  • If you manage workspaces across different Azure AD tenants, enable Azure Lighthouse.

Read here for the announcement

Configure Microsoft Sentinel roles

There may be times when many teams require access to the same data and independent security teams may also require access to Microsoft Sentinel capabilities, but with different data sets.

Sentinel RBAC

Sentinel has it’s own RBAC roles, like many other Azure based service does.

Depending services

And RBAC roles for depending services.

Here is an table of the different permission and what they can do.

RoleView and run playbooksCreate and edit playbooksCreate and edit analytics rules, workbooks, and other Microsoft Sentinel resourcesManage incidents (dismiss, assign, etc.)View data, incidents, workbooks, and other Microsoft Sentinel resources
Microsoft Sentinel Reader*
Microsoft Sentinel Responder*
Microsoft Sentinel Contributor
Microsoft Sentinel Playbook Operator
Logic App Contributor
* Users with these roles can create and delete workbooks with the Workbook Contributor role. Learn about Other roles and permissions.

See here for recommendations from Microsoft

Design and configure Microsoft Sentinel data storage

Azure Sentinel offers two storage options for data ingestion: Log Analytics workspace and Azure Data Explorer. Both storage options are highly scalable and flexible.

But did you know that Azure Sentinel is based on Azure Monitor (Log Analytics), which is based on Azure Data Explorer. As a result, moving between different services is simple. You may now leverage Kusto query language queries and dashboards across various services.

Log Analytics Workspace

Log Analytics workspace is the default data storage option in Azure Sentinel. Log Analytics workspace provides a scalable, highly available, and secure storage option for ingesting data. It enables you to collect data from different sources, including cloud services, on-premises servers, and custom applications. You can query, visualize, and analyze the data using Azure Monitor Log Analytics, which is integrated into Sentinel.

See more here on the onboarding of Sentinel to Log analytics workspace

Azure Data Explorer

Azure Data Explorer (ADX) is another storage option available for Azure Sentinel. ADX is a fully managed data analytics service that enables you to perform advanced analytics on large volumes of data. ADX provides a highly scalable and efficient data storage solution that is optimized for fast data ingestion, analysis, and querying. It is ideal for large-scale log analytics scenarios, including security analytics.

Which one should you use?

Maybe pricing or maybe you architecture requirements determinate which one to use or maybe both.

Here is some questions that you should ask:

  • Data Ingestion Volume: How much data are you planning on ingesting into Sentinel? To assess the amount of storage required, estimate your data input volume.
  • Data Retention Period: How long must you keep your data? Take into account any applicable compliance obligations, as well as your organization’s own data retention rules.
  • Frequency of Data Access: How frequently will you need to access your data? To maximize data storage and retrieval, consider the frequency and kind of queries you’ll be conducting.
  • Cost Optimization: How can you reduce the cost of data storage? To limit the quantity of data you need to keep and lower storage expenses, consider data compression, tiered storage, and data sampling.

See here for an example Architecture from Azure Architecture Center.

Implement and use Content hub, repositories, and community resources

Content hub

Content Hub is a Microsoft Sentinel feature that serves as a repository for community-generated content. It includes templates, queries, workbooks, and playbooks to aid in the optimization of security monitoring and response. The Content Hub includes the Sentinel solutions catalog.

Use the Microsoft Sentinel Content Hub to find and install out-of-the-box (OOTB) content from a single location.


Customers can store content, such as queries, workbooks, and playbooks, in the repository. They can employ them to complement Sentinel’s skills. Organizations may build, manage, and share repositories across teams.

Here is once example of the GitHub repository

And here an excellent repo called Azure Sentinel All In One that let’s you automate your deployment and configuration of Sentinel. When highly privileged users are required, this is great for Proof of Concept situations and connection onboarding.

The following content can be imported from a repo:

  • Analytics rules
  • Automation rules
  • Hunting queries
  • Parsers
  • Playbooks
  • Workbooks

See more on repository connection from Learn

Community resources

Microsoft Sentinel provides a comprehensive set of community tools to assist clients in fast onboarding and reaping the benefits of Sentinel. GitHub repositories, community-provided playbooks and queries, community content, and threat intelligence feeds are among the resources available.

KQL Search is an aggregator for KQL queries that are shared on GitHub.

Microsoft has an excellent blog on Sentinel that has posts from Microsoft and also other contributors

And you want to skill-up even more, see this


Remember what you should consider when designing a workplace

  • Tenant and workspace correlation
  • Data residency
  • When using multiple workspaces, using Azure Lighthouse

What RBAC roles Sentinel has? and what are the depending roles?

What the different roles can do in your environment?

How Log Analytics and Data Explorer are different, what is the primary one and why you should choose one of them or should you?

Definition of Content hub and repository also what community resources are available?

Link to main post

This image has an empty alt attribute; its file name is image-123.png

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *