Blog Post

Microsoft Sentinel Blog
7 MIN READ

Azure Sentinel Insecure Protocols Workbook Implementation Guide

Jon_Shectman's avatar
Jon_Shectman
Icon for Microsoft rankMicrosoft
Feb 27, 2020
This blog post is authored by Jon Shectman and Brian Delaney.   In this blog article, we’ll examine the Insecure Protocols Workbook (IP Workbook) and how, with minimal on-premise configuration, y...
Updated Nov 03, 2021
Version 13.0
detection
investigation
microsoft sentinel
security
VAST
Andy Loy's avatar
Andy Loy
Copper Contributor
Apr 23, 2021

Hello – great article and solution. May I ask a specific question on Stage 4: Configure Security Events Data Connector Settings and the requirement to stream ‘All Events’.

 

Currently we use ‘Common Events’ setting – namely as we have concerns on log ingestion volumes and onwards data retention costs within our Azure Sentinel deployment.


Therefore can I ask

 

  1. Is ‘All Events’ setting definitely a pre-req for this solution or would ‘Common Events’ setting suffice?
  2. If the answer to a) is ‘Yes’ can you advise on a way to mitigate the impact of this. I assume you would need another Sentinel Instance where this setting can be applied (and IP dashboard solution added) and only connect In-Scope Servers through MMA Agent Configuration?
  3. Can I ask to clarify my understanding around the definition of ‘In-Scope’ servers for the solution – I assume this needs to be Domain Controllers as a must but does the solution need Domain Member servers also for in-scope purposes?

------

HI Andy - 

1. Yes. The partial data set won't do it.

2. This is one of the most requested capabilities in my experience with customers. Log filtering at the MMA would let you choose which logs. I believe that this feature is slated for later this year.

3. Just Domain Controllers

- Thanks, Jon