How to Identify Log Sources Required to Expose Specific Activity in Azure Sentinel

From time-to-time, customers ask about an MVP – or Minimum Viable Product – when discussing standing up Azure Sentinel. An MVP would be the base configuration (with all connectors, analytics rules, workbooks, etc.) for the environment. Unfortunately, this is a gray area, and it concludes with the most famous Microsoft response to ever be issued: “it depends.”

It really does depend. It depends on several things about the customer’s environment including devices, endpoints, services, applications, policies, compliance requirements, corporate politics, department politics, end-user habits, among a ton of other things. I feel like its necessary to dig into all that in future blog posts but, here I’d like to highlight a small portion of this that goes a long way to providing a piece of the ask. Setting up a Microsoft-centric MVP environment has become much easier with the release of the Zero Trust (TIC3.0) Workbook.

This guidance Workbook is valuable. In itself, its an educational tool to enable customers to become well versed in Zero Trust and the TIC initiatives, particularly when it comes to Microsoft security platform solutions.

One big ask from customers is recommendations in what log sources are required (as part of this almost mythical MVP) to capture specific threats. And, really…this is the right approach to an MVP.

In addition to the Incident Response Playbooks I wrote about earlier that also provide recommended log sources, the Zero Trust Workbook provides even deeper context for the log sources and the services recommended to expose the specific activity.

Try it! The Zero Trust Workbook is now available as a template in the Azure Sentinel console in the Workbooks blade.

My example…

In the image below, I’ve selected the Files option in the TIC 3.0 Capabilities section in the Workbook, and then when I cursor down to the Requirement section, the Required Log sources are shown. (click on the image for a larger view)


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]