What's Next for Your SIEM?

You’ve just finished your Microsoft Sentinel deployment and have your shiny new SIEM up and running. Is your job done? Can a SIEM ever really be finished? The answer is “no” because your organization’s needs change, new technologies emerge, and cyber attack vectors constantly evolve.

At BlueVoyant, we understand the unique complexities of your environment as well as the ever-changing the security landscape, and we have the expert resources to help navigate whatever lanes you find you could use some additional assistance.

Now that you have completed your Microsoft Sentinel deployment, let's focus on three key areas that often trip users up – log sources, health monitoring, and automations - and some questions to help ensure you are getting the most value out of your investment.

Questions to Ask Your Security Team

Log Sources, Detections, and Value

• Have you chased down ingestion of those remaining log sources that you just weren’t able to ingest properly with the original deployment?
• Have you identified blind spots that may exist in your organization’s current logging and alerting implementation?
• Have you tuned your log source ingestion to only the events that have security or compliance value for your organization to help save on costs?
• Have you developed workbooks/dashboards to help quickly visualize activity in your environment?
• Do you regularly review your detections to help identify improvements and tuning opportunities?
• Are you deriving the most value out of the logs that you are already collecting with new detections/analytic rules?
  • Have you decided on your content development strategy? Are you building off of MITRE ATT&CK, threat intelligence, compliance requirements, something else?
  • Have you accounted for ingestion delay as part of your analytic rule development?
  • Are you configuring entity mapping with your detections to take advantage of incident correlation and UEBA features built into Sentinel? 

Health Monitoring

• Are you prepared for log sources going quiet?
• Are you prepared for runaway log sources driving up cost?
• What about log source schema changes affecting your alert rules?
• Are you monitoring the success of your alert rule runs?
• Are you monitoring the performance of your alert rule runs?
• Have you developed workbooks/dashboards or automations to help quickly review the health of your Sentinel environment? 

Automations

• Any specific incidents/alerts that you want to take automatic SOAR actions upon to save response hours, such as:
  • Enrich with threat intelligence/Configuration Management Database (CMDB)?
  • Send an email?
• Any Entity based response actions you'd like to perform, such as:
  • Secure an account?
  • Block an IP?
• Have you investigated using Microsoft Security Copilot to help speed incident response?

Conclusion

Hopefully, these questions have offered valuable insights to ignite your organization's strategies for continuously advancing the maturity of your SIEM.

However, if you are unsure on how best to answer these questions, we can help! As the leading global Microsoft Security partner, our Continuous Optimization for Microsoft Security (COMS) solution allows you to add next-generation technology, threat intelligence, in addition to recruiting the top global team of Microsoft Security experts to help ensure your security team is at the top of their game, and making maximum use out of Defender XDR, Sentinel, and Azure Cloud capabilities. At the same time, you’ll be able to effectively manage and forecast your costs.

COMS provides youwith effective, ongoing management to control costs, optimize configuration, and adopt new features and functionality that are essential to maximize both your investment and your security posture. BlueVoyant has the expertise and proprietary, scalable tooling to help you effectively implement Microsoft Security technology in complex enterprise environments and operate the technology to defend enterprise networks from advanced threats.