Forum Discussion

David Caddick's avatar
David Caddick
Iron Contributor
Sep 12, 2019

Azure Sentinel: Storage & design considerations

Hi All,   Some thoughts on storage & cost from the customer perspective... In the same way that the LA Design has been answered here: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Best-p...
Nicholas DiCola (SECURITY JEDI)'s avatar
Nicholas DiCola (SECURITY JEDI)
Former Employee
Sep 17, 2019

David Caddick 

Understand the concerns.  Pricing will be available at GA which should hopefully clear this up a bit.  For PoCs it really depends.  The customer should define use cases/requirements they need to confirm the product does to move forward.  that might require ingesting all FW logs and be more expensive, then say ingest only the Free O365 logs.  each customer is different.

 

I agree with alerts from the Microsoft solutions.  besides Office all security products are alerts only (minus MCAS shadow it).  but i would not agree with sending FW/proxy logs to just MCAS.  for example, we have alerts that are built for FW and proxy logs.  you would be possibly limiting what you can detect in your environment.  or correlating alerts from those systems with alerts from other systems.