Редактиране

Споделяне чрез


Track your Microsoft Sentinel migration with a workbook

As your organization's security operations center (SOC) handles growing amounts of data, it's essential to plan and monitor your deployment status. While you can track your migration process using generic tools such as Microsoft Project, Microsoft Excel, Microsoft Teams, or Azure DevOps, these tools aren’t specific to security information and event management (SIEM) migration tracking. To help you to track, we provide a dedicated workbook in Microsoft Sentinel named Microsoft Sentinel Deployment and Migration.

The workbook helps you to:

  • Visualize migration progress
  • Deploy and track data sources
  • Deploy and monitor analytics rules and incidents
  • Deploy and utilize workbooks
  • Deploy and perform automation
  • Deploy and customize user and entity behavioral analytics (U E B A)

This article describes how to track your migration with the Microsoft Sentinel Deployment and Migration workbook, how to customize and manage the workbook, and how to use the workbook tabs to deploy and monitor data connectors, analytics, incidents, playbooks, automation rules, U E B A, and data management. Learn more about how to use Azure Monitor workbooks in Microsoft Sentinel.

Deploy the workbook content and view the workbook

To get the workbook, first install the standalone item from the Content hub in Microsoft Sentinel.

  1. In the Microsoft Sentinel Content hub, filter the content listed by Content type = Workbooks, and then enter migration in the search bar.

  2. From the search results, select the Microsoft Sentinel Deployment and Migration workbook and then select Install. Microsoft Sentinel deploys the workbook and saves the workbook in your environment.

  3. In Microsoft Sentinel, under Threat management, select Workbooks > Templates.

  4. Select the Microsoft Sentinel Deployment and Migration workbook and View template.

Deploy the watchlist

The next step is to deploy the related watchlist from the Microsoft Sentinel GitHub repository.

  1. In the Microsoft Sentinel GitHub repository, select the DeploymentandMigration folder, and select Deploy to Azure to begin the template deployment in Azure.
  2. Provide the Microsoft Sentinel resource group and workspace name. Screenshot of deploying the watchlist to Azure.
  3. Select Review and create.
  4. After the information is validated, select Create.

Update the watchlist with deployment and migration actions

This step is crucial to the tracking setup process. If you skip this step, the workbook doesn't reflect the items for tracking.

To update the watchlist with deployment and migration actions:

  1. In the Azure or Microsoft Defender portal, select Microsoft Sentinel and then select Watchlist.
  2. Select the watchlist with the Deployment alias.
  3. Then select Update watchlist > edit watchlist items.
  4. Provide the information for the actions needed for the deployment and migration. Screenshot of updating watchlist items with deployment and migration actions.
  5. Select Save.

You can now view the watchlist within the migration tracker workbook. Learn how to manage watchlists.

In addition, your team might update or complete tasks during the deployment process. To address these changes, update existing actions or add new actions as you identify new use cases or set new requirements. To update or add actions, edit the Deployment watchlist that you deployed. To simplify the process, in the workbook, select Edit Deployment Watchlist to open the watchlist directly from the workbook.

View deployment status

To quickly view the deployment progress, in the Microsoft Sentinel Deployment and Migration workbook, select Deployment and scroll down to locate the Summary of progress. This area displays the deployment status, including the following information:

  • Tables reporting data
  • Number of tables reporting data
  • Number of reported logs and which tables report the log data
  • Number of enabled rules vs. undeployed rules
  • Recommended workbooks deployed
  • Total number of workbooks deployed
  • Total number of playbooks deployed

Deploy and monitor data connectors

To monitor deployed resources and deploy new connectors, in the Microsoft Sentinel Deployment and Migration workbook, select Data Connectors > Monitor. The Monitor view lists:

  • Current ingestion trends
  • Tables ingesting data
  • How much data each table is reporting
  • Endpoints reporting with Azure Monitor Agent (AMA)
  • Data collection rules in the resource group and the devices linked to the rules
  • Data connector health (changes and failures)
  • Health logs within the specified time range

Screenshot of the workbook's Data Connectors tab Monitor view.

To configure a data connector:

  1. Select the Configure view.
  2. Select the button with the name of the connector you want to configure.
  3. Configure the connector in the connector status screen that opens. If you can't find a connector you need, select the connector name to open the connector gallery or solution gallery. Screenshot of the workbook's Configure view.

Deploy and monitor analytics and incidents

When the data is reported in the workspace, configure and monitor analytics rules. In the Microsoft Sentinel Deployment and Migration workbook, select the Analytics tab to view all deployed rule templates and lists. This view indicates which rules are currently in use and how often the rules generate incidents.

Screenshot of the workbook's Analytics tab.

If you need more coverage, select Review MITRE coverage below the table on the left. Use this option to define which areas receive more coverage and which rules are deployed, at any stage of the migration project.

Screenshot of the workbook's MITRE Coverage view.

When you deploy the analytics rules and the Defender product connector is configured to send the alerts, monitor incident creation and frequency under Deployment > Summary of progress. This area displays metrics regarding alert generation by product, title, and classification, to indicate the health of the SOC and which alerts require the most attention. If alerts are generating too much volume, return to the Analytics tab to modify the logic.

Screenshot of the summary of progress under the workbook's Analytics tab.

Deploy and utilize workbooks

To visualize information regarding the data ingestion and detections that Microsoft Sentinel performs, in the Microsoft Sentinel Deployment and Migration workbook, select Workbooks. Similar to the Data Connectors tab, use the Monitor and Configure views to view monitoring and configuration information.

Here are some useful tasks to do in the Workbooks tab:

  • To view a list of all workbooks in the environment and how many workbooks are deployed, select Monitor.

  • To view a specific workbook within the Microsoft Sentinel Deployment and Migration workbook, select a workbook and then select Open Selected Workbook.

    Screenshot of selecting a workbook in the Workbook tab.

  • If you haven't yet deployed workbooks, select Configure to view a list of commonly used and recommended workbooks. If a workbook isn't listed, select Go to Workbook Gallery or Go to Content Hub to deploy the relevant workbook.

    Screenshot of viewing a workbook from the Workbook tab.

Deploy and monitor playbooks and automation rules

When you configure data ingestion, detections, and visualizations, you can now look into automation. In the Microsoft Sentinel Deployment and Migration workbook, select Automation to view deployed playbooks, and to see which playbooks are currently connected to an automation rule. If automation rules exist, the workbook highlights the following information regarding each rule:

  • Name
  • Status
  • Action or actions of the rule
  • The last date the rule was modified and the user that modified the rule
  • The date the rule was created

To view, deploy, and test automation within the current section of the workbook, select Deploy automation resources on the bottom left.

Learn about Microsoft Sentinel SOAR capabilities for playbooks and for automation rules.

Screenshot of the workbook's Automation tab.

Deploy and monitor U E B A

Because data reporting and detections happen at the entity level, it's essential to monitor entity behavior and trends. To enable the U E B A feature within Microsoft Sentinel, in the Microsoft Sentinel Deployment and Migration workbook, select UEBA. Here you can customize the entity timelines for entity pages, and view which entity related tables are populated with data.

Screenshot of the workbook's U E B A tab.

To enable U E B A:

  1. Select Enable UEBA above the list of tables.
  2. To enable U E B A, select On.
  3. Select the data sources you want to use to generate insights.
  4. Select Apply.

After you enable U E B A, monitor and ensure that Microsoft Sentinel is generating U E B A data.

To customize the timeline:

  1. Select Customize Entity Timeline above the list of tables.
  2. Create a custom item, or select one of the out-of-the-box templates.
  3. To deploy the template and complete the wizard, select Create.

Learn more about U E B A or learn how to customize the timeline.

Configure and manage the data lifecycle

When you deploy or migrate to Microsoft Sentinel, it's essential to manage the usage and lifecycle of the incoming logs. In the Microsoft Sentinel Deployment and Migration workbook, select Data Management to view and configure table retention and archival.

Screenshot of the workbook's Data Management tab.

View information regarding:

  • Tables configured for basic log ingestion
  • Tables configured for analytics tier ingestion
  • Tables configured to be archived
  • Tables on the default workspace retention

To modify the existing retention policy for tables:

  1. Select the Default Retention Tables view.
  2. Select the table you want to modify, and select Update Retention. Edit the following information as needed:
    • Current retention in the workspace
    • Current retention in the archive
    • Total number of days the data lives in the environment
  3. Edit the TotalRetention value to set a new total number of days that the data should exist within the environment.

The ArchiveRetention value is calculated by subtracting the TotalRetention value from the InteractiveRetention value. If you need to adjust the workspace retention, the change doesn't impact tables that include configured archives and data isn't lost. If you edit the InteractiveRetention value and the TotalRetention value doesn't change, Azure Log Analytics adjusts the archive retention to compensate the change.

If you prefer to make changes in the UI, select Update Retention in UI to open the relevant page.

Learn about data lifecycle management.

Enable migration tips and instructions

To assist with the deployment and migration process, the workbook includes tips that explain how to use the different tabs, and links to relevant resources. The tips are based on Microsoft Sentinel migration documentation and are relevant to your current SIEM. To enable tips and instructions, in the Microsoft Sentinel Deployment and Migration workbook, on the top right, set MigrationTips and Instruction to Yes.

Screenshot of the workbook's migration tips and instructions.

Next steps

In this article, you learned how to track your migration with the Microsoft Sentinel Deployment and Migration workbook.