Microsoft Sentinel Deployment Best Practices, 2nd Edition - A Letter from the Editor

When we wrote the first Microsoft Sentinel Deployment Best Practices Guide in 2021, it was about helping security teams successfully navigate a particularly vexing security migration project - moving to a new SIEM platform.

We became fans of Microsoft Sentinel (f.k.a. Azure Sentinel) quite early, but regardless of what SIEM platform you’re adopting, the number and size of potential gotchas can be immense. First, the entire purpose of the SIEM is to be an aggregation and analysis tool for disparate data types, often in high volumes. Data ingestion, processing, and storage costs can be very high if not tightly managed. Moreover, simple but unchecked data errors can significantly diminish the value of the SIEM as a security tool. The SIEM also manages highly sensitive data and serves as the lifeblood of the SecOps team. Since keeping a business operational during a cyberattack can depend on data analyzed by the SIEM, successful implementation and ongoing operation are critical.

When Microsoft jumped into the SIEM market, thousands of security practitioners, data scientists, network engineers, CISOs, and others were looking for dependable advice on successfully adopting the platform. Our first version of the Best Practices Guide was intended to contribute to that area, bringing together key learnings we gathered from completing hundreds of Sentinel deployments worldwide.

With the first edition released in 2021, the guide became a little long in the tooth by 2023. Microsoft has been quick in releasing new functionality into the platform, and the number of organizations knocking on our door for deployment advice continues to grow.

We’ve also worked with larger and more complex organizations that are tackling difficult challenges with their SIEM implementations. National governments, local governments, and Fortune 100 companies have brought us some truly challenging scenarios. We had to develop creative solutions to ensure security teams operated at their best and keep CFOs and taxpayers satisfied with the ROI from the SIEM.

Problems like: what do you do in single M365 tenant scenarios where departments have different data access requirements? O365, AAD, and other tenant-linked logs are, by default, collected in shared tables for Log Analytics and Sentinel, but there are sometimes operational reasons why this data should be treated differently for different user groups.

Options for data filtering and control have also expanded since our 2021 guide, introducing features such as Data Collection Rules (DCR) and broad adoption of the Azure Monitor Agent (AMA). While in 2021, we were still getting creative with ways to optimize Azure data ingestion into the SIEM, these new tools have given us more standardized ways to collect and analyze the security data that matters and filter out what doesn’t.

Like the 1st edition, we’ve written the guide to be as pragmatic as possible, speaking to security practitioners from their perspective. Microsoft’s official documentation for Sentinel has expanded tremendously over the past two years. As has Microsoft’s rich and growing community and ecosystem of blogs, podcasts, partners, and KQL nerds. To accompany this body of knowledge, we’ve found that our experience on what works, what doesn’t, and what tradeoffs to think about can be beneficial to business-critical enterprise environments.

While we are as excited as anyone to talk about how recent advancements like Security Copilot and generative AI will enhance the SIEM experience, these topics you will have to wait for the 3rd edition. This deployment guide is centered on techniques we have successfully done in demanding production environments. The security industry will need more time before we see how this new generation of AI advancements brings clear business value to SecOps teams. That is an exciting area with lots of energy, and where we are engaging in R&D. We look forward to interacting with you on more cutting-edge research through these blogs and LinkedIn communities.

It’s been an absolute pleasure working with the real brains behind the operation, Marius Mocanu and Adrian Grigorof, on preparing this guide - but this blog is not the last you’ve heard from us! We will be co-presenting sections of the guide alongside SMEs from Microsoft over the summer, publishing additional technical blogs, and continuing Sentinel and Defender project work with our customers. If you are interested in learning more about BlueVoyant's Microsoft offerings, please contact us.