Microsoft Sentinel Governance Overview
This week I take a brief look at some ongoing Governance tasks that we can do to keep our Sentinel instances working smoothly and helping our SOC team have a better day. Making a living finding needles in a haystack can be hard, let’s look at some best practices for governance to help our SOC team focus on finding those little clues! In this article we will review some quick wins to keep Sentinel in good shape.
Let’s start with some basics to keep Sentinel tuned up.
Reviewing existing Analytics Rules can quickly show you (in the Sentinel dashboard) if there is an update available. First, check your existing rule to see if it is customized. If it is, save your customizations such as changed KQL queries and settings; then proceed with the update. Something really fantastic about this update process is that you will be shown the differences between your existing and new rule as you begin the update process. I tend to be more cautious and typically back up my rule code first; but that’s just my own preference.
Review the Microsoft Sentinel activity to see if a workbook has been updated or changed. As content is often updated, your Workbooks may have updates available from time to time. To learn more about auditing activity in Sentinel, check out https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data.
Log Analytics Workspace Review
Reviewing your Log Analytics Workspace periodically is always a good idea. I’ve heard storage accounts referred to as one of the easiest ways to forgot how your money is being spent in Azure…. A good way to keep a handle on that storage cost is to review it occasionally.
In the Azure Portal, go to Log Analytics Workspaces, choose your Sentinel workspace, then go to Usage and Estimated Costs. Take a look through and understand what data is coming in, how much and how long you are retaining data for. The question I always ask my clients is “Do you use this data?”. “How about this table data from 8 months ago? Do you use it still?”
Consider adjusting your overall retention to meet your business requirements and needs, but also your table data retention. We’ll talk about that in our next article in more depth!
Review Access to Sentinel
It is also good practice to review permissions for your Sentinel users. SOC / SecOps / or other team….we still need to do good housekeeping in our own Sentinel ‘house’. Consider how your team is utilizing the built-in roles for Sentinel and if there is room for improvement in the area of least-privilege. In security, we all strive to lead by example, in my experience.
Microsoft Learn does an excellent job of explaining the roles for us (source):
All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace.
- Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources.
- Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).
- Microsoft Sentinel Contributor can, in addition to the above, install and update solutions from content hub, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.
- Microsoft Sentinel Playbook Operator can list, view, and manually run playbooks.
- Microsoft Sentinel Automation Contributor allows Microsoft Sentinel to add playbooks to automation rules. It isn’t meant for user accounts.
There are always more steps we can take, but this is really intended as an overview and starting point. The amount of time that these tasks will take is also quite a variable. In my experience, the governance gets faster the more you do it…until one day it doesn’t due to a larger volume of changes to be made, or a big stack of Analytics rules to update. The key to success is consistency and persistence with governance of Sentinel. Take the time every few weeks, each month, or whatever cycle works for your team….and it will become habit.
Join me in the next article where we will take these starting points and expand on them with additional details. I’ll be adding a few extra tips that I’ve used over the last few years to help keep Sentinel instances peachy keen!