Compliance considerationsĪfter your data is collected, stored, and processed, compliance can become an important design requirement, with a significant impact on your Microsoft Sentinel architecture. Partner data connectors are often based on API or agent collections, and therefore are not attached to a specific Azure AD tenant. Use Azure Lighthouse to help manage multiple Microsoft Sentinel instances in different tenants. This applies to connectors such as Azure Firewall, Azure Storage, Azure Activity or Azure Active Directory. If you have multiple tenants, such as if you're a managed security service provider (MSSP), we recommend that you create at least one workspace for each Azure AD tenant to support built-in, service to service data connectors that work only within their own Azure AD tenant.Īll connectors based on diagnostics settings cannot be connected to a workspace that is not located in the same tenant where the resource resides. For more information, see Microsoft Sentinel costs and billing. When determining how many tenants and workspaces to use, consider that most Microsoft Sentinel features operate by using a single workspace or Microsoft Sentinel instance, and Microsoft Sentinel ingests all logs housed within the workspace.Ĭosts are one of the main considerations when determining Microsoft Sentinel architecture. For example, many organizations have a cloud environment that contains multiple Azure Active Directory (Azure AD) tenants, resulting from mergers and acquisitions or due to identity separation requirements. While fewer workspaces are simpler to manage, you may have specific needs for multiple tenants and workspaces. See our video: Architecting SecOps for Success: Best Practices for Deploying Microsoft Sentinel Tenancy considerations Cost implications for different scenariosįor more information, see Design your Microsoft Sentinel workspace architecture and Sample workspace designs for common scenarios, and Pre-deployment activities and prerequisites for deploying Microsoft Sentinel.How to control access to Microsoft Sentinel data.Any compliance requirements you have for data collection and storage.Whether you'll use a single tenant or multiple tenants.This article reviews key decision factors to help you determine the right workspace architecture for your organizations, including: Decisions about the workspace architecture are typically driven by business and technical requirements. When planning your Microsoft Sentinel workspace deployment, you must also design your Log Analytics workspace architecture.
0 Comments
Leave a Reply. |