#1 Getting down and really dusty with Microsoft sentinel

Get down with Microsoft Sentinel

#1 Getting down and really dusty with Microsoft sentinel, one of Microsofts Crown Jewels hidden so well in plain sight that many Managed Service Providers and cyber security teams do not even know it exists and better yet is a very good choice for any organisation or security team needing to be able to review and analyse data, in the case of cyber security: telemetry data correlated from many sources: Microsoft and non Microsoft alike.

For MSP’s who wish to extend your offerings, a Managed Microsoft Sentinel platform could be your method to do this, if you have clients who are required to keep the log data for compliance/audit/security reasons then Sentinel is an easy to learn and completely integrated with the applications your clients are using already, making it an easy starting point for a new service to offer your clients.

Intellectual property gives your business a competitive advantage, as it is difficult for other MSPs to replicate what you create. Therefore consider building a platform around offerings such as Microsoft Sentinel.

If you do not need the introduction then please go directly to the Microsoft Sentinel Brain dump, I speak with MSPs and end customers daily about Microsoft Sentinel and I want to share what I have found out through my interactions.

Introduction to Microsoft Sentinel

Microsoft Sentinel is a Security Information and Event Management solution (SIEM) alongside a Security Orchestration, Automation and Response (SOAR) platform and provides a platform for Threat hunting, Intelligent Analytics and Threat response.

#1 Getting down and really dusty with Microsoft sentinel
#1 Getting down and really dusty with Microsoft sentinel

Microsoft has a good description here of Sentinel and SIEM / SOAR, so I will refrain from repeating what the vendor can say much better than I can!

Typically conversations that start to extend to SIEM/SOAR are where industry needs certain accreditations such as ISO 27001 which requires an organisation to store log data read only for an extended period of time from all application, endpoint, identity sources etc and ISO 27001.

Equally though organisations who are serious about their cyber resilience programmes are investigating Security Information Event management solutions already as these solutions are the only way with the current capabilities in Machine Learning and Artificial Intelligence to present the data to human experts where breaches and attempts at breaches can be fully understood and investigated.

4. Mitigation strategies to detect cyber security incidents and respondRiskĀ Microsoft option
Continuous incident detection and responseCompromise/BreachMicrosoft Sentinel, Graph API, Azure ARC
Host-based intrusion detection/prevention systemCompromise/BreachMicrosoft Defender for Business, Defender for Endpoint P2(ASR)
Endpoint detection and response softwareCompromise/BreachMicrosoft Defender for Business, Defender for Endpoint P2
Hunt to discover incidentsCompromise/BreachMicrosoft Sentinel, Graph API, Azure ARC
Network-based intrusion detection/prevention systemCompromise/Breach 
Capture network trafficCompromise/Breach 
The Australian Cyber Security Centre comment that these solutions can help reduce risk of cyber breach through early detection.

Microsoft Sentinel – Brain dump

The information provided below is what I refer too as “rough and ready”, it may not be formatted perfectly but it is data that can be valuable if you are looking to start a practise around SIEM/SOAR and specifically Microsoft Sentinel in this case.

Setting up Microsoft Sentinel

As Microsoft Sentinel is a SaaS platform there is very little configuration to get started, from your Azure portal, here:

#1 Getting down and really dusty with Microsoft sentinel
Set up a new instance of Sentinel is fast and easy – learning may take a while longer

Initial Set up of Sentinel can be found here:

Next steps are linked above as well.

Microsoft Sentinel Training

I have found a couple of good sources for training and completing these, you become a guru, remember Kusto Query Language (KQL) – used T-SQL before, then you know KQL.

Sentinel training part #1, here:

For two part extensive training there is more available below:

Day1

Day2

Microsoft Sentinel importing log data

The importing of log data from Azure VMs is fairly straight forward as well, I used the following url to help with setting up connectors:

Connect Microsoft Sentinel to Azure, Windows, and Microsoft services | Microsoft Docs

Microsoft Sentinel cost calculator

“How much is Microsoft Sentinel going to cost me”, this is a very common question I receive with my engagements. There is no tried and true answer to this, except that Microsoft provides some free ingestion of log data from other Microsoft platforms for 30 days, I believe this is around 500 MB per endpoint or identity from Microsoft Defender platforms such as Microsoft Defender for Endpoint P2 and Microsoft Defender for Office 365.

Considering the above, the best thing in my opinion to do would be to set a spend limit to start with, setting this cost very low will prevent a “bill shock” later down the track.

Warning: If Sentinel goes over its spend limit then log data will not be captured leading to “gaps” in your timeline. Be careful in a production environment to watch your spend limits.

Deploying Microsoft Sentinel Analytics Rules that are Already Enabled – Azure Cloud & AI Domain Blog

Estimating raw data ingestion from M365 into Sentinel, more information can be found here:

https://stefanpems.github.io/M365D-raw-data-ingestion-in-Sentinel/?utm_campaign=Microsoft%20Sentinel%20this%20Week&utm_medium=email&utm_source=Revue%20newsletter

Here is another very good cost calculator:

Azure Monitor agent overview – Azure Monitor | Microsoft Docs

And finally some further cost information on Microsoft Sentinel here:

https://azure.microsoft.com/pricing/details/monitor/

Microsoft Sentinel and Purview Information Protection

Microsoft Purview Information Protection (PIP), formally known as Azure Information Protection, Formally know as Rights Management, formally known as… (you get the picture), PIP is a full Information protection platform that will be discussed in a future article, as far as Microsoft Sentinel is concerned though PIP data can be easily ingested into Sentinel.

Having Purview Information protection log data within Sentinel extends dramatically the capabilities of Sentinel, for example now all the actions of a Malicious insider can be tracked, data exfiltration attempts can be detected through the single analytics view within Sentinel.

Microsoft Purview Information protection, monitoring from Sentinel:

Monitoring Microsoft Information Protection with Microsoft Sentinel

Microsoft Sentinel summary

There is an absolute plethora of data available regarding Microsoft sentinel, if you have corrections or wish to point me at other sources then please let me know. My goal with these articles are to upskill clients and MSPs with the technologies that I work with.

Please contact me here if I can assist in any way.

Leave a Reply

Your email address will not be published.