☎️
Contrxl
  • 🏡Home
  • ❓Anonymity Tools
  • ⌨️Cisco
    • Networking Basics
      • Communication in a Connected World
      • Network Components, Types and Connections
      • Wireless and Mobile Networks
      • Home Networking Technologies
      • Communication Protocols
      • Network Media
      • The Access Layer
      • The Internet Protocol
      • IPv4 and Network Segmentation
  • 💾Intune
    • ADMX Configuration
    • App Deployment
    • App Updating/Patching
    • File Deployment
    • Remediations
  • 🎓Learning Links
  • 💻Microsoft
    • 📘Microsoft Portal Links
    • Configure SIEM Security Operations using Microsoft Sentinel
      • Create and Manage Microsoft Sentinel Workspaces
        • Introduction
        • Plan for the Microsoft Sentinel Workspace
        • Create a Microsoft Sentinel Workspace
        • Manage Workspaces Across Tenants Using Azure Lighthouse
        • Understand Microsoft Sentinel Permissions and Roles
        • Manage Microsoft Sentinel Settings
        • Configure Logs
  • 📰News & Information
  • 💡OSINT
    • IP & Domain OSINT
    • Email & Username OSINT
    • Vulnerability OSINT
  • 📚Projects
    • ‼️A Simulation Study of DDoS
  • ⚒️Tools
    • Burp Suite
      • Repeater
      • Intruder
      • Other Modules
    • GoPhish
    • Hydra
    • John the Ripper
    • Metasploit
      • Exploitation
      • Meterpreter
    • NMAP
    • Wireshark
  • 🖥️TryHackMe
    • Learning Paths
      • Complete Beginner
        • 1. Complete Beginner Intro
        • 2. Linux Fundamentals
        • 3. Introductory Networking
        • 3.1 Network Exploitation Basics
        • 4. OWASP Top 10 Exploits
        • 5. Upload Vulnerabilities
        • 5.1 An Example Methodology
        • 6. Cryptography - Hashing
        • 7. Cryptography - Encryption
        • 8. Active Directory Basics
        • 9. What the Shell?
        • 10. Linux Privesc
        • 11. More Linux Privesc
      • Jr Penetration Tester
        • Walking an Application
        • Content Discovery
        • Subdomain Enumeration
        • Authentication Bypass
        • IDOR
        • File Inclusion
        • SSRF
        • XSS (Cross-site Scripting)
        • Command Injection
        • SQL Injection
        • Passive Reconnaissance
        • Active Reconnaissance
        • Protocols and Servers
        • Protocol and Server Attacks
        • Vulnerabilities
        • Exploiting Vulnerabilities
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • CompTIA Pentest+
        • Planning and Scoping
          • Pentesting Fundamentals
          • Red Team Engagements
          • Governance and Regulation
        • Tools and Code Analysis
          • Metasploit: Introduction
          • Wireshark: The Basics
          • Burp Suite: The Basics
          • Hydra
          • Python Basics
        • Attacks and Exploits
          • Phishing
          • Windows Local Persistence
          • Breaching Active Directory
          • Lateral Movement & Pivoting
Powered by GitBook
On this page
  1. Microsoft
  2. Configure SIEM Security Operations using Microsoft Sentinel
  3. Create and Manage Microsoft Sentinel Workspaces

Plan for the Microsoft Sentinel Workspace

Unit 2.

The Microsoft Sentinel solution is installed in a Log Analytics Workspace. The most important option here is the region, as the region specifies where the log data will reside. There are three implementation options for Microsoft Sentinel:

  • Single-Tenant with a single Microsoft Sentinel Workspace.

  • Single-Tenant with a regional Microsoft Sentinel Workspace.

  • Multi-Tenant.

Single-Tenant Single Workspace

This Workspace will be the central repository for logs across all resources in the same tenant. This workspace receives logs from resources in other regions within the same tenant. This creates two main concerns: this can incur a bandwidth cost and there may be data governance requiring data to be kept in a specific region, meaning this isn't an option.

Pros
Cons

Central pane of glass

May not meet data governance requirements

Consolidates all security logs and information

Can incur bandwidth costs for cross-region

Easier to query all information

Azure Log Analytics RBAC to control data access

Microsoft Sentinel RBAC for service RBAC

Single-Tenant with Regional Microsoft Sentinel Workspace

This has multiple Sentinel Workspaces which requires the creation and configuration of multiple Microsoft Sentinel and Log Analytics Workspaces.

Pros
Cons

No cross-region bandwidth cost

No central pane of glass, you can't see all data in one place

May be required to meet data governance requirements

Analytics, Workbooks etc. must be deployed multiple times

Granular data access control

Granular retention settings

Split billing

Multi-Tenant Workspace

Multi-tenant Workspaces are used if you are required to manage a Microsoft Sentinel Workspace outside your tenant, this can be done by implementing Azure Lighthouse. This configuration grants access to the tenants.

The same Workspace should be used for both Microsoft Sentinel and Microsoft Defender for Cloud, to ensure all logs collected by Defender can also be used by Microsoft Sentinel.

Last updated 10 months ago

💻
  • Single-Tenant Single Workspace
  • Single-Tenant with Regional Microsoft Sentinel Workspace
  • Multi-Tenant Workspace