Hello – great article and solution. May I ask a specific question on Stage 4: Configure Security Events Data Connector Settings and the requirement to stream ‘All Events’.
Currently we use ‘Common Events’ setting – namely as we have concerns on log ingestion volumes and onwards data retention costs within our Azure Sentinel deployment.
Therefore can I ask
- Is ‘All Events’ setting definitely a pre-req for this solution or would ‘Common Events’ setting suffice?
- If the answer to a) is ‘Yes’ can you advise on a way to mitigate the impact of this. I assume you would need another Sentinel Instance where this setting can be applied (and IP dashboard solution added) and only connect In-Scope Servers through MMA Agent Configuration?
- Can I ask to clarify my understanding around the definition of ‘In-Scope’ servers for the solution – I assume this needs to be Domain Controllers as a must but does the solution need Domain Member servers also for in-scope purposes?
------
HI Andy -
1. Yes. The partial data set won't do it.
2. This is one of the most requested capabilities in my experience with customers. Log filtering at the MMA would let you choose which logs. I believe that this feature is slated for later this year.
3. Just Domain Controllers
- Thanks, Jon