You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/configure-content.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,11 +17,11 @@ In the previous deployment step, you enabled Microsoft Sentinel, health monitori
17
17
|Step |Description |
18
18
|---------|---------|
19
19
|**Set up data connectors**|Based on the [data sources you selected when you planned your deployment](prioritize-data-connectors.md), and after [enabling the relevant solutions](enable-sentinel-features-content.md), you can now install or set up your data connectors.<br><br>- If you're using an existing connector, [find your connector](data-connectors-reference.md) from this full list of data connectors.<br>- If you're creating a custom connector, use [these resources](create-custom-connector.md).<br>- If you're setting up a connector to ingest CEF or Syslog logs, review these [options](connect-cef-syslog-options.md). |
20
-
|**Set up [analytics rules](detect-threats-built-in.md)** |After you've set up Microsoft Sentinel to collect data from all over your organization, you can begin using threat detection rules or analytics rules. Select the steps you need to set up and configure your analytics rules:<br><br>- [Create a scheduled query rule](detect-threats-custom.md): Create custom analytics rules to help discover threats and anomalous behaviors in your environment.<br>- [Map data fields to entities](map-data-fields-to-entities.md): Add or change entity mappings in an existing analytics rule.<br>- [Surface custom details in alerts](surface-custom-details-in-alerts.md): Add or change custom details in an existing analytics rule.<br>- [Customize alert details](customize-alert-details.md): Override the default properties of alerts with content from the underlying query results.<br>- [Export and import analytics rules](import-export-analytics-rules.md): Export your analytics rules to Azure Resource Manager (ARM) template files, and import rules from these files. The export action creates a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.<br>- [Create near-real-time (NRT) detection analytics rules](create-nrt-rules.md): Create near-time analytics rules for up-to-the-minute threat detection out-of-the-box. This type of rule was designed to be highly responsive by running its query at intervals just one minute apart.<br>- [Work with anomaly detection analytics rules](work-with-anomaly-rules.md): Work with built-in anomaly templates that use thousands of data sources and millions of events, or change thresholds and parameters for the anomalies within the user interface.<br>- [Manage template versions for your scheduled analytics rules](manage-analytics-rule-templates.md): Track the versions of your analytics rule templates, and either revert active rules to existing template versions, or update them to new ones.<br>- [Handle ingestion delay in scheduled analytics rules](ingestion-delay.md): Learn how ingestion delay might impact your scheduled analytics rules and how you can fix them to cover these gaps. |
21
-
|**Set up [automation rules](automate-incident-handling-with-automation-rules.md)**|[Create automation rules](create-manage-use-automation-rules.md): Define the triggers and conditions that determine when your automation rule runs, the various actions that you can have the rule perform, and the remaining features and functionalities.|
22
-
|**Set up [playbooks](automate-responses-with-playbooks.md)**|A playbook is a collection of remediation actions that you run from Microsoft Sentinel as a routine, to help automate and orchestrate your threat response. To set up playbooks:<br><br>- Review these [steps for creating a playbook](automate-responses-with-playbooks.md#steps-for-creating-a-playbook)<br>- [Create playbooks from templates](use-playbook-templates.md): A playbook template is a prebuilt, tested, and ready-to-use workflow that can be customized to meet your needs. Templates can also serve as a reference for best practices when developing playbooks from scratch, or as inspiration for new automation scenarios. |
23
-
|**Set up workbooks**|Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within Microsoft Sentinel. Workbook templates allow you to quickly gain insights across your data as soon as you connect a data source. To set up workbooks:<br><br>- [Create custom workbooks across your data](monitor-your-data.md#create-new-workbook)<br>- [Use existing workbook templates available with packaged solutions](monitor-your-data.md#use-a-workbook-template)|
24
-
|**Set up watchlists**|Watchlists allow you to correlate data from a data source you provide with the events in your Microsoft Sentinel environment. To set up watchlists:<br><br>- [Create watchlists](watchlists-create.md)<br>- [Build queries or detection rules with watchlists](watchlists-queries.md): Query data in any table against data from a watchlist by treating the watchlist as a table for joins and lookups. When you create a watchlist, you define the SearchKey. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches. |
20
+
|**Set up analytics rules** |After you've set up Microsoft Sentinel to collect data from all over your organization, you can begin using threat detection rules or [analytics rules](detect-threats-built-in.md). Select the steps you need to set up and configure your analytics rules:<br><br>- [Create a scheduled query rule](detect-threats-custom.md): Create custom analytics rules to help discover threats and anomalous behaviors in your environment.<br>- [Map data fields to entities](map-data-fields-to-entities.md): Add or change entity mappings in an existing analytics rule.<br>- [Surface custom details in alerts](surface-custom-details-in-alerts.md): Add or change custom details in an existing analytics rule.<br>- [Customize alert details](customize-alert-details.md): Override the default properties of alerts with content from the underlying query results.<br>- [Export and import analytics rules](import-export-analytics-rules.md): Export your analytics rules to Azure Resource Manager (ARM) template files, and import rules from these files. The export action creates a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.<br>- [Create near-real-time (NRT) detection analytics rules](create-nrt-rules.md): Create near-time analytics rules for up-to-the-minute threat detection out-of-the-box. This type of rule was designed to be highly responsive by running its query at intervals just one minute apart.<br>- [Work with anomaly detection analytics rules](work-with-anomaly-rules.md): Work with built-in anomaly templates that use thousands of data sources and millions of events, or change thresholds and parameters for the anomalies within the user interface.<br>- [Manage template versions for your scheduled analytics rules](manage-analytics-rule-templates.md): Track the versions of your analytics rule templates, and either revert active rules to existing template versions, or update them to new ones.<br>- [Handle ingestion delay in scheduled analytics rules](ingestion-delay.md): Learn how ingestion delay might impact your scheduled analytics rules and how you can fix them to cover these gaps. |
21
+
|**Set up automation rules**|[Create automation rules](create-manage-use-automation-rules.md). Define the triggers and conditions that determine when your [automation rule](automate-incident-handling-with-automation-rules.md) runs, the various actions that you can have the rule perform, and the remaining features and functionalities. |
22
+
|**Set up playbooks**|A [playbooks](automate-responses-with-playbooks.md) is a collection of remediation actions that you run from Microsoft Sentinel as a routine, to help automate and orchestrate your threat response. To set up playbooks:<br><br>- Review these [steps for creating a playbook](automate-responses-with-playbooks.md#steps-for-creating-a-playbook)<br>- [Create playbooks from templates](use-playbook-templates.md): A playbook template is a prebuilt, tested, and ready-to-use workflow that can be customized to meet your needs. Templates can also serve as a reference for best practices when developing playbooks from scratch, or as inspiration for new automation scenarios. |
23
+
|**Set up workbooks**|[Workbooks](monitor-your-data.md) provide a flexible canvas for data analysis and the creation of rich visual reports within Microsoft Sentinel. Workbook templates allow you to quickly gain insights across your data as soon as you connect a data source. To set up workbooks:<br><br>- [Create custom workbooks across your data](monitor-your-data.md#create-new-workbook)<br>- [Use existing workbook templates available with packaged solutions](monitor-your-data.md#use-a-workbook-template)|
24
+
|**Set up watchlists**|[Watchlists](watchlists.md) allow you to correlate data from a data source you provide with the events in your Microsoft Sentinel environment. To set up watchlists:<br><br>- [Create watchlists](watchlists-create.md)<br>- [Build queries or detection rules with watchlists](watchlists-queries.md): Query data in any table against data from a watchlist by treating the watchlist as a table for joins and lookups. When you create a watchlist, you define the SearchKey. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches. |
Copy file name to clipboardExpand all lines: articles/sentinel/prerequisites.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ Before deploying Microsoft Sentinel, we recommend taking the following steps to
20
20
| --------- | ------- |
21
21
|**1. Plan and prepare overview and prerequisites**|**YOU ARE HERE**<br><br>Review the [Azure tenant prerequisites](#azure-tenant-prerequisites). |
22
22
|**2. Plan workspace architecture**| Design your Microsoft Sentinel workspace. Consider parameters such as:<br><br>- Whether you'll use a single tenant or multiple tenants<br>- Any compliance requirements you have for data collection and storage<br>- How to control access to Microsoft Sentinel data<br><br>Review these articles:<br><br>1. [Review best practices](best-practices-workspace-architecture.md)<br>2. [Design workspace architecture](design-your-workspace-architecture.md)<br>3. [Review sample workspace designs](sample-workspace-designs.md)<br>4. [Prepare for multiple workspaces](prepare-multiple-workspaces.md)|
23
-
|**3. [Prioritize data connectors](prioritize-data-connectors.md)**| Determine which [data sources](prioritize-data-connectors.md) you need and the data size requirements to help you accurately project your deployment's budget and timeline.<br><br>You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel. |
23
+
|**3. [Prioritize data connectors](prioritize-data-connectors.md)**| Determine which data sources you need and the data size requirements to help you accurately project your deployment's budget and timeline.<br><br>You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel. |
24
24
|**4. [Plan roles and permissions](roles.md)**|Use Azure role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly, or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits. |
25
25
|**5. [Plan costs](billing.md)**|Start planning your budget, considering cost implications for each planned scenario.<br><br> Make sure that your budget covers the cost of data ingestion for both Microsoft Sentinel and Azure Log Analytics, any playbooks that will be deployed, and so on. |
26
26
@@ -42,10 +42,11 @@ Before deploying Microsoft Sentinel, make sure that your Azure tenant has the fo
42
42
43
43
- A [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) is required to house all of the data that Microsoft Sentinel will be ingesting and using for its detections, analytics, and other features. For more information, see [Microsoft Sentinel workspace architecture best practices](best-practices-workspace-architecture.md). Microsoft Sentinel doesn't support Log Analytics workspaces with a resource lock applied.
44
44
45
-
We recommend that when you set up your Microsoft Sentinel workspace, [create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md) that's dedicated to Microsoft Sentinel and the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on.
45
+
-We recommend that when you set up your Microsoft Sentinel workspace, [create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md) that's dedicated to Microsoft Sentinel and the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on.
46
46
47
-
A dedicated resource group allows for permissions to be assigned once, at the resource group level, with permissions automatically applied to any relevant resources. Managing access via a resource group helps to ensure that you're using Microsoft Sentinel efficiently without potentially issuing improper permissions. Without a resource group for Microsoft Sentinel, where resources are scattered among multiple resource groups, a user or service principal may find themselves unable to perform a required action or view data due to insufficient permissions.
48
-
To implement more access control to resources by tiers, use extra resource groups to house the resources that should be accessed only by those groups. Using multiple tiers of resource groups enables you to separate access between those tiers.
47
+
A dedicated resource group allows for permissions to be assigned once, at the resource group level, with permissions automatically applied to any relevant resources. Managing access via a resource group helps to ensure that you're using Microsoft Sentinel efficiently without potentially issuing improper permissions. Without a resource group for Microsoft Sentinel, where resources are scattered among multiple resource groups, a user or service principal may find themselves unable to perform a required action or view data due to insufficient permissions.
48
+
49
+
To implement more access control to resources by tiers, use extra resource groups to house the resources that should be accessed only by those groups. Using multiple tiers of resource groups enables you to separate access between those tiers.
0 commit comments