Merge pull request #245037 from cwatson-cat/deploymentguide

Sentinel - deployment guide

Author: Stacyrch140

articles/lighthouse/how-to/manage-sentinel-workspaces.md

@@ -76,13 +76,13 @@ You can also deploy workbooks directly in an individual managed tenant for scena
 
 ## Run Log Analytics and hunting queries across Microsoft Sentinel workspaces
 
-Create and save Log Analytics queries for threat detection centrally in the managing tenant, including [hunting queries](../../sentinel/extend-sentinel-across-workspaces-tenants.md#cross-workspace-hunting). These queries can be run across all of your customers' Microsoft Sentinel workspaces by using the Union operator and the [workspace() expression](../../azure-monitor/logs/workspace-expression.md).
+Create and save Log Analytics queries for threat detection centrally in the managing tenant, including [hunting queries](../../sentinel/extend-sentinel-across-workspaces-tenants.md#hunt-across-multiple-workspaces). These queries can be run across all of your customers' Microsoft Sentinel workspaces by using the Union operator and the [workspace() expression](../../azure-monitor/logs/workspace-expression.md).
 
-For more information, see [Cross-workspace querying](../../sentinel/extend-sentinel-across-workspaces-tenants.md#cross-workspace-querying).
+For more information, see [Cross-workspace querying](../../sentinel/extend-sentinel-across-workspaces-tenants.md#query-multiple-workspaces).
 
 ## Use automation for cross-workspace management
 
-You can use automation to manage multiple Microsoft Sentinel workspaces and configure [hunting queries](../../sentinel/hunting.md), playbooks, and workbooks. For more information, see [Cross-workspace management using automation](../../sentinel/extend-sentinel-across-workspaces-tenants.md#cross-workspace-management-using-automation).
+You can use automation to manage multiple Microsoft Sentinel workspaces and configure [hunting queries](../../sentinel/hunting.md), playbooks, and workbooks. For more information, see [Cross-workspace management using automation](../../sentinel/extend-sentinel-across-workspaces-tenants.md#manage-multiple-workspaces-using-automation).
 
 ## Monitor security of Office 365 environments
 

articles/sentinel/TOC.yml

@@ -11,6 +11,46 @@
   items:
   - name: Onboard to Microsoft Sentinel
     href: quickstart-onboard.md
+- name: Deploy
+  items:
+  - name: Plan and prepare
+    items: 
+    - name: Overview and prerequisites      
+      href: prerequisites.md
+    - name: Plan workspace architecture
+      items:
+      - name: Review best practices
+        href: best-practices-workspace-architecture.md 
+      - name: Design workspace architecture
+        href: design-your-workspace-architecture.md      
+      - name: Review sample workspace designs
+        href: sample-workspace-designs.md
+      - name: Prepare for multiple workspaces
+        href: prepare-multiple-workspaces.md
+    - name: Prioritize data connectors
+      href: prioritize-data-connectors.md 
+    - name: Plan roles and permissions
+      href: roles.md
+    - name: Plan costs
+      href: billing.md
+  - name: Deploy
+    items: 
+    - name: Overview   
+      href: deploy-overview.md
+    - name: Enable Microsoft Sentinel and initial features and content
+      href: enable-sentinel-features-content.md
+    - name: Configure content
+      href: configure-content.md
+    - name: Set up multiple workspaces
+      href: use-multiple-workspaces.md
+    - name: Enable User and Entity Behavior Analytics (UEBA)
+      href: enable-entity-behavior-analytics.md
+    - name: Configure data retention and archive 
+      href: configure-data-retention-archive.md
+  - name: Review and fine-tune
+    items: 
+    - name: Review and fine-tune checklist   
+      href: review-fine-tune-overview.md    
 - name: Tutorials
   items:
   - name: Forward syslog data to workspace
@@ -37,44 +77,26 @@
       href: ../defender-for-iot/organizations/iot-advanced-threat-monitoring.md?bc=%2fazure%2fsentinel%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsentinel%2fTOC.json
 - name: Concepts
   items:
-  - name: Plan
-    items:
-    - name: Prerequisites
-      href: prerequisites.md
+  - name: Availability and support
+    items:     
     - name: Geographical availability and data residency
-      href: geographical-availability-data-residency.md
-    - name: Costs and billing
-      items:
-      - name: Plan costs
-        href: billing.md
-      - name: Monitor costs
-        href: billing-monitor-costs.md
-      - name: Reduce costs
-        href: billing-reduce-costs.md    
-    - name: Best practices
-      items:
-      - name: Overview
-        href: best-practices.md
-      - name: Workspace architecture
-        href: best-practices-workspace-architecture.md
-      - name: Data collection
-        href: best-practices-data.md
-      - name: Partner integrations
-        href: partner-integrations.md
-      - name: Basic Logs
-        href: basic-logs-use-cases.md
-      - name: Auditing and health monitoring 
-        href: health-audit.md    
-    - name: Architecture
-      items:
-      - name: Roles and permissions
-        href: roles.md
-      - name: Extend Microsoft Sentinel across workspaces and tenants
-        href: extend-sentinel-across-workspaces-tenants.md
-      - name: Security baseline
-        href: /security/benchmark/azure/baselines/sentinel-security-baseline?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json      
-      - name: Support for data types in different clouds
-        href: data-type-cloud-support.md
+      href: geographical-availability-data-residency.md          
+    - name: Support for data types in different clouds
+      href: data-type-cloud-support.md
+    - name: Security baseline
+      href: /security/benchmark/azure/baselines/sentinel-security-baseline?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json        
+  - name: Best practices
+    items:
+    - name: Overview
+      href: best-practices.md      
+    - name: Data collection
+      href: best-practices-data.md
+    - name: Partner integrations
+      href: partner-integrations.md
+    - name: Basic Logs
+      href: basic-logs-use-cases.md
+    - name: Auditing and health monitoring 
+      href: health-audit.md                            
   - name: Find solutions and content
     items:
     - name: About Sentinel content
@@ -186,15 +208,7 @@
     - name: Dynamics 365 Finance and Operations solution overview
       href: dynamics-365/dynamics-365-finance-operations-solution-overview.md 
 - name: How-tos
-  items:
-  - name: Plan architecture
-    items:
-    - name: Overview
-      href: design-your-workspace-architecture.md
-    - name: Sample workspace designs
-      href: sample-workspace-designs.md
-    - name: Manage workspace access
-      href: resource-context-rbac.md
+  items:    
   - name: Migrate to Microsoft Sentinel
     items:
     - name: Plan and design your migration
@@ -850,9 +864,7 @@
       - name: Handle ingestion delay in analytics rules
         href: ingestion-delay.md
       - name: Get fine-tuning recommendations
-        href: detection-tuning.md
-    - name: Enable User and Entity Behavior Analytics (UEBA)
-      href: enable-entity-behavior-analytics.md
+        href: detection-tuning.md    
     - name: Work with out-of-the-box anomaly rules
       href: work-with-anomaly-rules.md
     - name: Configure multistage attack (Fusion) rules
@@ -939,8 +951,18 @@
       href: create-tasks-playbook.md
   - name: Manage Microsoft Sentinel
     items:
-    - name: Manage multiple workspaces
-      href: workspace-manager.md
+    - name: Manage costs and billing
+      items:      
+      - name: Monitor costs
+        href: billing-monitor-costs.md
+      - name: Reduce costs
+        href: billing-reduce-costs.md
+    - name: Manage multiple workspaces 
+      items:
+      - name: Workspace manager
+        href: workspace-manager.md
+      - name: Extend across multiple workspaces
+        href: extend-sentinel-across-workspaces-tenants.md  
     - name: Microsoft Sentinel for MSSPs
       items:
       - name: Manage multiple tenants (MSSP)
@@ -949,6 +971,8 @@
         href: multiple-workspace-view.md
       - name: Manage your intellectual property in Microsoft Sentinel
         href: mssp-protect-intellectual-property.md
+    - name: Manage workspace access
+      href: resource-context-rbac.md
     - name: Switch to simplified pricing tiers
       href: enroll-simplified-pricing-tier.md
     - name: Set up customer-managed keys

articles/sentinel/best-practices-data.md

@@ -13,17 +13,7 @@ This section reviews best practices for collecting data using Microsoft Sentinel
 
 ## Prioritize your data connectors
 
-If it's unclear to you which data connectors will best serve your environment, start by enabling all [free data connectors](billing.md#free-data-sources).
-
-The free data connectors will start showing value from Microsoft Sentinel as soon as possible, while you continue to plan other data connectors and budgets.
-
-For your [partner](data-connectors-reference.md) and [custom](create-custom-connector.md) data connectors, start by setting up [Syslog](connect-syslog.md) and [CEF](connect-common-event-format.md) connectors, with the highest priority first, as well as any Linux-based devices.
-
-If your data ingestion becomes too expensive, too quickly, stop or filter the logs forwarded using the [Azure Monitor Agent](../azure-monitor/agents/azure-monitor-agent-overview.md).
-
-> [!TIP]
-> Custom data connectors enable you to ingest data into Microsoft Sentinel from data sources not currently supported by built-in functionality, such as via agent, Logstash, or API. For more information, see [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).
->
+Learn how to [prioritize your data connectors](prioritize-data-connectors.md) as part of the Microsoft Sentinel deployment process.
 
 ## Filter your logs before ingestion
 
@@ -46,30 +36,30 @@ Filter your logs using one of the following methods:
 Standard configuration for data collection may not work well for your organization, due to various challenges. The following tables describe common challenges or requirements, and possible solutions and considerations.
 
 > [!NOTE]
-> Many solutions listed below require a custom data connector. For more information, see [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).
+> Many solutions listed in the following sections require a custom data connector. For more information, see [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).
 >
 
 ### On-premises Windows log collection
 
 
 |Challenge / Requirement  |Possible solutions  |Considerations  |
 |---------|---------|---------|
-|**Requires log filtering**     | Use Logstash <br><br>Use Azure Functions <br><br> Use LogicApps <br><br> Use custom code (.NET, Python)  |  While filtering can lead to cost savings, and ingests only the required data, some Microsoft Sentinel features are not supported, such as [UEBA](identify-threats-with-entity-behavior-analytics.md), [entity pages](entity-pages.md), [machine learning](bring-your-own-ml.md), and [fusion](fusion.md). <br><br>When configuring log filtering, you'll need to make updates in resources such as threat hunting queries and analytics rules     |
+|**Requires log filtering**     | Use Logstash <br><br>Use Azure Functions <br><br> Use LogicApps <br><br> Use custom code (.NET, Python)  |  While filtering can lead to cost savings, and ingests only the required data, some Microsoft Sentinel features aren't supported, such as [UEBA](identify-threats-with-entity-behavior-analytics.md), [entity pages](entity-pages.md), [machine learning](bring-your-own-ml.md), and [fusion](fusion.md). <br><br>When configuring log filtering, make updates in resources such as threat hunting queries and analytics rules     |
 |**Agent cannot be installed**     |Use Windows Event Forwarding, supported with the [Azure Monitor Agent](connect-windows-security-events.md#connector-options)       |   Using Windows Event forwarding lowers load-balancing events per second from the Windows Event Collector, from 10,000 events to 500-1000 events.|
 |**Servers do not connect to the internet**     | Use the [Log Analytics gateway](../azure-monitor/agents/gateway.md)        | Configuring a proxy to your agent requires extra firewall rules to allow the Gateway to work.        |
 |**Requires tagging and enrichment at ingestion**     |Use Logstash to inject a ResourceID <br><br>Use an ARM template to inject the ResourceID into on-premises machines <br><br>Ingest the resource ID into separate workspaces        | Log Analytics doesn't support RBAC for custom tables <br><br>Microsoft Sentinel doesn’t support row-level RBAC <br><br>**Tip**: You may want to adopt cross workspace design and functionality for Microsoft Sentinel.        |
 |**Requires splitting operation and security logs**     | Use the [Microsoft Monitor Agent or Azure Monitor Agent](connect-windows-security-events.md) multi-home functionality        |  Multi-home functionality requires more deployment overhead for the agent.       |
-|**Requires custom logs**     |   Collect files from specific folder paths <br><br>Use API ingestion <br><br>Use PowerShell <br><br>Use Logstash     |   You may have issues filtering your logs. <br><br>Custom methods are not supported. <br><br>Custom connectors may require developer skills.       |
+|**Requires custom logs**     |   Collect files from specific folder paths <br><br>Use API ingestion <br><br>Use PowerShell <br><br>Use Logstash     |   You may have issues filtering your logs. <br><br>Custom methods aren't supported. <br><br>Custom connectors may require developer skills.       |
 
 
 ### On-premises Linux log collection
 
 |Challenge / Requirement  |Possible solutions  |Considerations  |
 |---------|---------|---------|
-|**Requires log filtering**     | Use Syslog-NG <br><br>Use Rsyslog <br><br>Use FluentD configuration for the agent <br><br> Use the Azure Monitor Agent/Microsoft Monitoring Agent <br><br> Use Logstash  |  Some Linux distributions may not be supported by the agent. <br> <br>Using Syslog or FluentD requires developer knowledge. <br><br>For more information, see [Connect to Windows servers to collect security events](connect-windows-security-events.md) and [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).      |
+|**Requires log filtering**     | Use Syslog-NG <br><br>Use Rsyslog <br><br>Use FluentD configuration for the agent <br><br> Use the Azure Monitor Agent/Microsoft Monitoring Agent <br><br> Use Logstash  |  Some Linux distributions might not be supported by the agent. <br> <br>Using Syslog or FluentD requires developer knowledge. <br><br>For more information, see [Connect to Windows servers to collect security events](connect-windows-security-events.md) and [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).      |
 |**Agent cannot be installed**     |  Use a Syslog forwarder, such as (syslog-ng or rsyslog.       |         |
 |**Servers do not connect to the internet**       | Use the [Log Analytics gateway](../azure-monitor/agents/gateway.md)        | Configuring a proxy to your agent requires extra firewall rules to allow the Gateway to work.          |
-|**Requires tagging and enrichment at ingestion**      | Use Logstash for enrichment, or custom methods, such as API or EventHubs.         | You may have extra effort required for filtering.    |
+|**Requires tagging and enrichment at ingestion**      | Use Logstash for enrichment, or custom methods, such as API or Event Hubs.         | You may have extra effort required for filtering.    |
 |**Requires splitting operation and security logs**     |  Use the [Azure Monitor Agent](connect-windows-security-events.md) with the multi-homing configuration.       |         |
 |**Requires custom logs**     |    Create a custom collector using the Microsoft Monitoring (Log Analytics) agent.      |      |
 
@@ -103,7 +93,7 @@ If you need to collect Microsoft Office data, outside of the standard connector
 |**Filter logs from other platforms**     | Use Logstash <br><br>Use the Azure Monitor Agent / Microsoft Monitoring (Log Analytics) agent       |    Custom collection has extra ingestion costs. <br><br>You may have a challenge of collecting all Windows events vs only security events.     |
 |**Agent cannot be used**     |   Use Windows Event Forwarding      | You may need to load balance efforts across your resources.        |
 |**Servers are in air-gapped network**     | Use the [Log Analytics gateway](../azure-monitor/agents/gateway.md)        | Configuring a proxy to your agent requires firewall rules to allow the Gateway to work.        |
-|**RBAC, tagging, and enrichment at ingestion**     |    Create custom collection via Logstash or the Log Analytics API.     |  RBAC is not supported for custom tables <br><br>Row-level RBAC is not supported for any tables.       |
+|**RBAC, tagging, and enrichment at ingestion**     |    Create custom collection via Logstash or the Log Analytics API.     |  RBAC isn't supported for custom tables <br><br>Row-level RBAC isn't supported for any tables.       |
 
 
 ## Next steps

articles/sentinel/best-practices-workspace-architecture.md

@@ -4,7 +4,7 @@ description: Learn about best practices for designing your Microsoft Sentinel wo
 author: limwainstein
 ms.author: lwainstein
 ms.topic: conceptual
-ms.date: 01/09/2023
+ms.date: 06/28/2023
 ---
 
 # Microsoft Sentinel workspace architecture best practices
@@ -138,7 +138,7 @@ Don't apply a resource lock to a Log Analytics workspace you'll use for Microsof
 
 If you do need to work with multiple workspaces, simplify your incident management and investigation by [condensing and listing all incidents from each Microsoft Sentinel instance in a single location](multiple-workspace-view.md).
 
-To reference data that's held in other Microsoft Sentinel workspaces, such as in [cross-workspace workbooks](extend-sentinel-across-workspaces-tenants.md#cross-workspace-workbooks), use [cross-workspace queries](extend-sentinel-across-workspaces-tenants.md).
+To reference data that's held in other Microsoft Sentinel workspaces, such as in [cross-workspace workbooks](extend-sentinel-across-workspaces-tenants.md#use-cross-workspace-workbooks), use [cross-workspace queries](extend-sentinel-across-workspaces-tenants.md#query-multiple-workspaces).
 
 The best time to use cross-workspace queries is when valuable information is stored in a different workspace, subscription or tenant, and can provide value to your current action. For example, the following code shows a sample cross-workspace query:
 
@@ -152,12 +152,8 @@ union Update, workspace("contosoretail-it").Update, workspace("WORKSPACE ID").Up
 For more information, see [Extend Microsoft Sentinel across workspaces and tenants](extend-sentinel-across-workspaces-tenants.md).
 
 ## Next steps
-> [!div class="nextstepaction"]
-> >[Design your Microsoft Sentinel workspace architecture](design-your-workspace-architecture.md)
-> [!div class="nextstepaction"]
-> >[Microsoft Sentinel sample workspace designs](sample-workspace-designs.md)
-> [!div class="nextstepaction"]
-> >[On-board Microsoft Sentinel](quickstart-onboard.md)
-> [!div class="nextstepaction"]
-> >[Get visibility into alerts](get-visibility.md)
 
+In this article, you learned about key decision factors to help you determine the right workspace architecture for your organizations.
+
+> [!div class="nextstepaction"]
+> >[Design your Microsoft Sentinel workspace architecture](design-your-workspace-architecture.md)