Skip to content

Governance Policies Azure Security Sentinel

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 2 revisions

Sentinel

Governance policies for Sentinel

Domain: azure-security

Patterns

Name Description
Sentinel with core data connectors and Fusion Dedicated Sentinel workspace with Azure Activity, Entra ID connectors, and Fusion detection

Anti-Patterns

Description Instead
Do not deploy Sentinel on a shared operational workspace Use a dedicated Log Analytics workspace for security monitoring with appropriate retention
Do not disable built-in Fusion detection Keep Fusion enabled as it provides ML-based multi-stage attack correlation

References

Checks (5)

Check Severity Description
AZ-SNTL-001 Required Deploy Microsoft Sentinel on a dedicated Log Analytics workspace with onboarding state enabled
AZ-SNTL-002 Required Enable core data connectors for Azure Activity, Entra ID, and Defender for Cloud
AZ-SNTL-003 Required Enable the Fusion alert rule for ML-based multi-stage attack detection
AZ-SNTL-004 Recommended Configure automation rules for common incident response playbooks
AZ-SNTL-005 Recommended Set up workspace-level RBAC with Microsoft Sentinel-specific roles

AZ-SNTL-001

Deploy Microsoft Sentinel on a dedicated Log Analytics workspace with onboarding state enabled

Severity: Required
Rationale: Sentinel requires an onboarded Log Analytics workspace for security event correlation and threat detection
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.SecurityInsights/settings

Companion Resources

Resource Name Purpose
Microsoft.SecurityInsights/dataConnectors Azure Activity data connector Data connector for Azure Activity logs — baseline for subscription-level event monitoring
Microsoft.SecurityInsights/alertRules Fusion alert rule Built-in Fusion rule for multi-stage attack detection using ML correlation
Microsoft.Authorization/roleAssignments Microsoft Sentinel Responder / Reader RBAC role assignments for SOC analysts and security responders

AZ-SNTL-002

Enable core data connectors for Azure Activity, Entra ID, and Defender for Cloud

Severity: Required
Rationale: Data connectors feed Sentinel with security signals; missing connectors create blind spots
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.SecurityInsights/settings

AZ-SNTL-003

Enable the Fusion alert rule for ML-based multi-stage attack detection

Severity: Required
Rationale: Fusion uses ML to correlate low-fidelity signals across data sources into high-confidence incidents
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.SecurityInsights/settings

AZ-SNTL-004

Configure automation rules for common incident response playbooks

Severity: Recommended
Rationale: Automation rules reduce mean time to respond by executing playbooks on incident creation
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.SecurityInsights/settings

AZ-SNTL-005

Set up workspace-level RBAC with Microsoft Sentinel-specific roles

Severity: Recommended
Rationale: Sentinel-specific roles (Reader, Responder, Contributor) provide appropriate access levels for SOC tiers
Agents: cloud-architect, security-reviewer

Targets

  • Microsoft.SecurityInsights/settings

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally