SEC05 - Sentinel: 3-Wk Proof of Concept (PoC)

Microsoft Sentinel is a scalable, cloud-native, Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution from Microsoft 365. Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. Sentinel is a strong addon from Microsoft 365 to existing security measures. It takes security to the next level, by analyzing data collected across all existing security solutions, using advanced queries, to detect suspicious activity, and can function as the central security incident portal for your entire organization. This reduces time spent on figuring out what is happening, allowing the organization to instead focus on what to do.

Establish acceptance of the fact that it is continuous work to manage and maintain Sentinel. Your environment (inside and outside your organization) is constantly changing, and therefore a good setup today is not necessarily a good setup tomorrow. This means that Sentinel is constantly evolving.

You should start small and build from there. Mindcore suggests starting with a Proof of Concept (PoC) with a few data connectors. This is the best way to assess the solution and to understand the insights that you can gain, and how to use this insight to improve your security. Typical scope is 2-4 working days, split over 2-3 weeks.

1. WHERE DO WE START? Initial conversation on what the organization expects from Sentinel, and where to start, i.e.

• Entity Behavior
• Break the glass account successful/failed login
• Incidents/alerts  based on license type and available data
• Architecture

2. INITIAL SETUP: Initial setup of Sentinel and PoC scope

• Sentinel
• Log Analytics
• Agents
• Pre-defined analytic rules
• Data connectors
• (OPTIONAL: Single Logic App))

3. POC TEST PHASE: Data collection (1-2 weeks) and review collected data to verify insights
4. EVALUATE & OUTPUT: Evaluate PoC output, and discuss how the organization can adopt, manage and expand the use of Sentinel