Deployment guide for Microsoft Sentinel

This article introduces the activities that help you plan, deploy, and fine tune your Microsoft Sentinel deployment.

Plan and prepare overview

This section introduces the activities and prerequisites that help you plan and prepare before deploying Microsoft Sentinel.

The plan and prepare phase is typically performed by a SOC architect or related roles.

Step Details
1. Plan and prepare overview and prerequisites Review the Azure tenant prerequisites.
2. Plan workspace architecture Design your Microsoft Sentinel workspace. Consider parameters such as:

- Whether you'll use a single tenant or multiple tenants
- Any compliance requirements you have for data collection and storage
- How to control access to Microsoft Sentinel data

Review these articles:

1. Review best practices
2. Design workspace architecture
3. Review sample workspace designs
4. Prepare for multiple workspaces
3. Prioritize data connectors Determine which data sources you need and the data size requirements to help you accurately project your deployment's budget and timeline.

You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel.
4. Plan roles and permissions Use Azure role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly, or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits.
5. Plan costs Start planning your budget, considering cost implications for each planned scenario.

Make sure that your budget covers the cost of data ingestion for both Microsoft Sentinel and Azure Log Analytics, any playbooks that will be deployed, and so on.

Deployment overview

The deployment phase is typically performed by a SOC analyst or related roles.

Step Details
1. Enable Microsoft Sentinel, health and audit, and content Enable Microsoft Sentinel, enable the health and audit feature, and enable the solutions and content you've identified according to your organization's needs.
2. Configure content Configure the different types of Microsoft Sentinel security content, which allow you to detect, monitor, and respond to security threats across your systems: Data connectors, analytics rules, automation rules, playbooks, workbooks, and watchlists.
3. Set up a cross-workspace architecture If your environment requires multiple workspaces, you can now set them up as part of your deployment. In this article, you learn how to set up Microsoft Sentinel to extend across multiple workspaces and tenants.
4. Enable User and Entity Behavior Analytics (UEBA) Enable and use the UEBA feature to streamline the analysis process.
5. Set up data retention and archive Set up data retention and archive, to make sure your organization retains the data that's important in the long term.

Fine tune and review: Checklist for post-deployment

Review the post-deployment checklist to helps you make sure that your deployment process is working as expected, and that the security content you deployed is working and protecting your organization according to your needs and use cases.

The fine tune and review phase is typically performed by a SOC engineer or related roles.

Step Actions
Review incidents and incident process - Check whether the incidents and the number of incidents you're seeing reflect what's actually happening in your environment.
- Check whether your SOC's incident process is working to efficiently handle incidents: Have you assigned different types of incidents to different layers/tiers of the SOC?

Learn more about how to navigate and investigate incidents and how to work with incident tasks.
Review and fine-tune analytics rules - Based on your incident review, check whether your analytics rules are triggered as expected, and whether the rules reflect the types of incidents you're interested in.
- Handle false positives, either by using automation or by modifying scheduled analytics rules.
- Microsoft Sentinel provides built-in fine-tuning capabilities to help you analyze your analytics rules. Review these built-in insights and implement relevant recommendations.
Review automation rules and playbooks - Similar to analytics rules, check that your automation rules are working as expected, and reflect the incidents you're concerned about and are interested in.
- Check whether your playbooks are responding to alerts and incidents as expected.
Add data to watchlists Check that your watchlists are up to date. If any changes have occurred in your environment, such as new users or use cases, update your watchlists accordingly.
Review commitment tiers Review the commitment tiers you initially set up, and verify that these tiers reflect your current configuration.
Keep track of ingestion costs To keep track of ingestion costs, use one of these workbooks:
- The Workspace Usage Report workbook provides your workspace's data consumption, cost, and usage statistics. The workbook gives the workspace's data ingestion status and amount of free and billable data. You can use the workbook logic to monitor data ingestion and costs, and to build custom views and rule-based alerts.
- The Microsoft Sentinel Cost workbook gives a more focused view of Microsoft Sentinel costs, including ingestion and retention data, ingestion data for eligible data sources, Logic Apps billing information, and more.
Fine-tune Data Collection Rules (DCRs) - Check that your DCRs reflect your data ingestion needs and use cases.
- If needed, implement ingestion-time transformation to filter out irrelevant data even before it's first stored in your workspace.
Check analytics rules against MITRE framework Check your MITRE coverage in the Microsoft Sentinel MITRE page: View the detections already active in your workspace, and those available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework.
Hunt for suspicious activity Make sure that your SOC has a process in place for proactive threat hunting. Hunting is a process where security analysts seek out undetected threats and malicious behaviors. By creating a hypothesis, searching through data, and validating that hypothesis, they determine what to act on. Actions can include creating new detections, new threat intelligence, or spinning up a new incident.

In this article, you reviewed the activities in each of the phases that help you deploy Microsoft Sentinel.

Depending on which phase you're in, choose the appropriate next steps:

When you're finished with your deployment of Microsoft Sentinel, continue to explore Microsoft Sentinel capabilities by reviewing tutorials that cover common tasks: