#1 Getting down and really dusty with Microsoft sentinel, one of Microsofts Crown Jewels hidden so well in plain sight that many Managed Service Providers and cyber security teams do not even know it exists and better yet is a very good choice for any organisation or security team needing to be able to review and analyse data, in the case of cyber security: telemetry data correlated from many sources: Microsoft and non Microsoft alike.
For MSP’s who wish to extend your offerings, a Managed Microsoft Sentinel platform could be your method to do this, if you have clients who are required to keep the log data for compliance/audit/security reasons then Sentinel is an easy to learn and completely integrated with the applications your clients are using already, making it an easy starting point for a new service to offer your clients.
Intellectual property gives your business a competitive advantage, as it is difficult for other MSPs to replicate what you create. Therefore consider building a platform around offerings such as Microsoft Sentinel.
If you do not need the introduction then please go directly to the Microsoft Sentinel Brain dump, I speak with MSPs and end customers daily about Microsoft Sentinel and I want to share what I have found out through my interactions.
Introduction to Microsoft Sentinel
Microsoft Sentinel is a Security Information and Event Management solution (SIEM) alongside a Security Orchestration, Automation and Response (SOAR) platform and provides a platform for Threat hunting, Intelligent Analytics and Threat response.
Microsoft has a good description here of Sentinel and SIEM / SOAR, so I will refrain from repeating what the vendor can say much better than I can!
Typically conversations that start to extend to SIEM/SOAR are where industry needs certain accreditations such as ISO 27001 which requires an organisation to store log data read only for an extended period of time from all application, endpoint, identity sources etc and ISO 27001.
Equally though organisations who are serious about their cyber resilience programmes are investigating Security Information Event management solutions already as these solutions are the only way with the current capabilities in Machine Learning and Artificial Intelligence to present the data to human experts where breaches and attempts at breaches can be fully understood and investigated.
|4. Mitigation strategies to detect cyber security incidents and respond||Risk||Microsoft option|
|Continuous incident detection and response||Compromise/Breach||Microsoft Sentinel, Graph API, Azure ARC|
|Host-based intrusion detection/prevention system||Compromise/Breach||Microsoft Defender for Business, Defender for Endpoint P2(ASR)|
|Endpoint detection and response software||Compromise/Breach||Microsoft Defender for Business, Defender for Endpoint P2|
|Hunt to discover incidents||Compromise/Breach||Microsoft Sentinel, Graph API, Azure ARC|
|Network-based intrusion detection/prevention system||Compromise/Breach|
|Capture network traffic||Compromise/Breach|
Microsoft Sentinel – Brain dump
The information provided below is what I refer too as “rough and ready”, it may not be formatted perfectly but it is data that can be valuable if you are looking to start a practise around SIEM/SOAR and specifically Microsoft Sentinel in this case.
Setting up Microsoft Sentinel
As Microsoft Sentinel is a SaaS platform there is very little configuration to get started, from your Azure portal, here:
Initial Set up of Sentinel can be found here:
Next steps are linked above as well.
Microsoft Sentinel Training
I have found a couple of good sources for training and completing these, you become a guru, remember Kusto Query Language (KQL) – used T-SQL before, then you know KQL.
For two part extensive training there is more available below:
Microsoft Sentinel importing log data
The importing of log data from Azure VMs is fairly straight forward as well, I used the following url to help with setting up connectors:
Microsoft Sentinel cost calculator
“How much is Microsoft Sentinel going to cost me”, this is a very common question I receive with my engagements. There is no tried and true answer to this, except that Microsoft provides some free ingestion of log data from other Microsoft platforms for 30 days, I believe this is around 500 MB per endpoint or identity from Microsoft Defender platforms such as Microsoft Defender for Endpoint P2 and Microsoft Defender for Office 365.
Considering the above, the best thing in my opinion to do would be to set a spend limit to start with, setting this cost very low will prevent a “bill shock” later down the track.
Warning: If Sentinel goes over its spend limit then log data will not be captured leading to “gaps” in your timeline. Be careful in a production environment to watch your spend limits.
Estimating raw data ingestion from M365 into Sentinel, more information can be found here:
Here is another very good cost calculator:
And finally some further cost information on Microsoft Sentinel here:
Microsoft Sentinel and Purview Information Protection
Microsoft Purview Information Protection (PIP), formally known as Azure Information Protection, Formally know as Rights Management, formally known as… (you get the picture), PIP is a full Information protection platform that will be discussed in a future article, as far as Microsoft Sentinel is concerned though PIP data can be easily ingested into Sentinel.
Having Purview Information protection log data within Sentinel extends dramatically the capabilities of Sentinel, for example now all the actions of a Malicious insider can be tracked, data exfiltration attempts can be detected through the single analytics view within Sentinel.
Microsoft Purview Information protection, monitoring from Sentinel:
Microsoft Sentinel summary
There is an absolute plethora of data available regarding Microsoft sentinel, if you have corrections or wish to point me at other sources then please let me know. My goal with these articles are to upskill clients and MSPs with the technologies that I work with.