Cloud can be tricky sometimes. Find out what scenarios we've ran into that are worth being mentioned and explained.
The following post is part of a series of articles that will focus on the many capabilities and options of Azure Sentinel, from the beginning with deployment, through configure connectors to the setting and using Notebook and Azure Lighthouse and more.
This article focuses on the different capabilities for setting up and setting SENTINEL with full tips from the field and all the ways to make the right settings.
Microsoft’s new cloud-hosted security information and event management service roll out in a public preview, and Azure Sentinel is Microsoft’s thoroughly modern SIEM.
Azure Sentinel is by far the most exciting announcement out of Redmond so far this year. Aside from that, what is Azure Sentinel? It’s a 100% cloud-based Security Information Event Management (SIEM) solution.
I’ve been referring to Log Analytics with Azure Security Center as Microsoft’s cloud SIEM solution, but Azure Sentinel allows you to collect logs from anywhere!!!
When you deploy Azure Sentinel, anything that ships common event format (CEF) logs can integrate with Azure Sentinel.
Deploy and Configure Azure Sentinel
Azure Sentinel deployment is more about activating and onboarding actions with a lot of configuration, so let’s prepare the requirement and onboarding Azure Sentinel.
Before deploying Azure Sentinel make sure that you’ve all requirements to access, create, and configure with Azure subscription and resources.
Before we jump into Azure Sentinel configuration, data connectors, and dashboards, let’s get go through the prerequisites quickly and other deploy phases.
The first thing is to make sure that you’ve got the following requirements:
- Active Azure Subscription, if you don’t have one, create a free account before you begin
- Log Analytics workspace. Learn how to create a Log Analytics workspace
- To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides
- To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to
- Additional permissions may be needed to connect specific data sources
Once we’ve got all the requirements we can move on to the next step.
Enable Azure Sentinel
To configure Azure Sentinel we need to prepare several components before, these components are the infrastructure and some of them are critical components on which Azure Sentinel is based.
The first step to enable Azure Sentinel is to create Azure Log Analytics with a specific setting and configuration.
Highlights for this step
- Make sure you understand all Azure Sentinel pricing before choosing the right one (described in this post)
- Use a minimum Log Analytics workspaces as possible, consolidate as much as you can into a “one central” workspace
- Avoid bandwidth costs by creating many regional workspaces
- Make sure that the sending of Azure resource will be in the same Azure region as your workspace
- Explore Log Analytics RBAC options like “resource-centric” and “table-level” RBAC before creating a workspace based on your RBAC requirements
- Consider “Table Level” retention when you need different retention settings for different types of data
- In some scenario, you can lock the workspace from deleting
Azure Sentinel License
Azure Sentinel licensing is based on Azure components and is divided into several categories:
Log Analytics – provides storage and retention of logging data. Pricing is based on GB/month.
Azure Sentinel Service Cost – pricing for cloud-native SIEM that provides intelligent security analytics for your entire enterprise Azure Sentinel pricing is available here.
Initial deployment – for a scenario such as migration from an on-premise SIEM, and situations are associated with the initial build of the Azure Sentinel, onboarding of log sources, creation of log parsers and configuration of alerts and playbooks.
Logic Apps – used for automation workflows, such as Azure Sentinel alerts and playbooks. Microsoft pricing structure is per action and per invoked connector. Currently, Microsoft provides a comprehensive list of connectors starting from Azure functions and APIs, email and scheduler to more complex ones like ServiceNow integration.
Download Contents – based on Microsoft pricing structure there are no fees for inbound traffic and only traffic related to downloads and alerts will be charged.
Highlights for Pricing
Before ingesting any data you must know the little things with Azure Sentinel pricing.
All data is from Azure Sentinel pricing with the following highlights:
In a general Azure Sentinel is charged in 2 ways:
- Ingestion of data (Reserved capacity or Per GB)
- Retention of data
Azure Log Analytics – Microsoft offers one-month log retention in the Azure Log Analytics platform, the price for log retention in Azure Log Analytics is available here.
Free Log Analytics and Azure Sentinel – Pricing for Log Analytics also varies per datacenter and you’re granted a limited amount of free log ingestion per tenant each month.
The first 5 GB of data ingested per organization to the Azure Monitor Log Analytics service every month is offered free.
Azure Monitor Log Analytics workspace can be retained at no charge for up to the first 31 days. Data retained beyond the first 31 days will be charged per the data retention prices listed below. Azure Sentinel enabled workspaces the data is retained for free for 90 days.
Application Insights is billed based on the volume of telemetry data that your application sends and the number of web tests that you choose to run. Every GB of data ingested by Application Insights is retained at no charge for 90 days.
For all Office 365 data, the ingestion of data is free.
Azure AD audit logs and sign-in logs will be charged according to the reserved capacity or pay-as-you-go per GB model.
Office 365 logs for 9 months, a customer would only be charged for (9 months – 3 free months) = 6 paid months.