Governance Policies Azure Security Sentinel - Azure/az-prototype GitHub Wiki
Governance policies for Sentinel
Domain: azure-security
| Name | Description |
|---|---|
| Sentinel with core data connectors and Fusion | Dedicated Sentinel workspace with Azure Activity, Entra ID connectors, and Fusion detection |
| Description | Instead |
|---|---|
| Do not deploy Sentinel on a shared operational workspace | Use a dedicated Log Analytics workspace for security monitoring with appropriate retention |
| Do not disable built-in Fusion detection | Keep Fusion enabled as it provides ML-based multi-stage attack correlation |
| Check | Severity | Description |
|---|---|---|
| AZ-SNTL-001 | Required | Deploy Microsoft Sentinel on a dedicated Log Analytics workspace with onboarding state enabled |
| AZ-SNTL-002 | Required | Enable core data connectors for Azure Activity, Entra ID, and Defender for Cloud |
| AZ-SNTL-003 | Required | Enable the Fusion alert rule for ML-based multi-stage attack detection |
| AZ-SNTL-004 | Recommended | Configure automation rules for common incident response playbooks |
| AZ-SNTL-005 | Recommended | Set up workspace-level RBAC with Microsoft Sentinel-specific roles |
Deploy Microsoft Sentinel on a dedicated Log Analytics workspace with onboarding state enabled
Severity: Required
Rationale: Sentinel requires an onboarded Log Analytics workspace for security event correlation and threat detection
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.SecurityInsights/settings
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.SecurityInsights/dataConnectors | Azure Activity data connector | Data connector for Azure Activity logs — baseline for subscription-level event monitoring |
| Microsoft.SecurityInsights/alertRules | Fusion alert rule | Built-in Fusion rule for multi-stage attack detection using ML correlation |
| Microsoft.Authorization/roleAssignments | Microsoft Sentinel Responder / Reader | RBAC role assignments for SOC analysts and security responders |
Enable core data connectors for Azure Activity, Entra ID, and Defender for Cloud
Severity: Required
Rationale: Data connectors feed Sentinel with security signals; missing connectors create blind spots
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.SecurityInsights/settings
Enable the Fusion alert rule for ML-based multi-stage attack detection
Severity: Required
Rationale: Fusion uses ML to correlate low-fidelity signals across data sources into high-confidence incidents
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.SecurityInsights/settings
Configure automation rules for common incident response playbooks
Severity: Recommended
Rationale: Automation rules reduce mean time to respond by executing playbooks on incident creation
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.SecurityInsights/settings
Set up workspace-level RBAC with Microsoft Sentinel-specific roles
Severity: Recommended
Rationale: Sentinel-specific roles (Reader, Responder, Contributor) provide appropriate access levels for SOC tiers
Agents: cloud-architect, security-reviewer
- Microsoft.SecurityInsights/settings