Hi All,
Some thoughts on storage & cost from the customer perspective...
In a recent example where we had enabled a number of firewall and proxy connectors we were quickly looking at 80 - 100Gb a day that was going to translate into AUD$10K a month based on only a 30 day retention period - this was going to be quite an impact on the cost of the PoC - but it also caused the Customer to have some reservations on whether or not to move forward with Sentinel based on unknown costs from Microsft + Storage costs...
Is it possible to get similar ideas from a Storage perspective of how this *should* be designed?
Some initial thoughts are:
- Office ATP – use free storage, just direct Alerts only to Sentinel
- Azure ATP – use free storage, just direct Alerts only to Sentinel
- Defender ATP – use free storage, just direct Alerts only to Sentinel
- Bluecoat - direct connector only to MCAS
- Palo Alto - direct connector only to MCAS
- Cisco ASA - direct connector only to MCAS
- MCAS - just direct Alerts only to Sentinel
On the surface of it, this would likely reduce the storage needs in Sentinel, however it’s also likely that this will also reduce it’s effectiveness due to less data points and telemetry?
It will also mean that any analyst will then have to fall back to jumping between consoles?
Any thoughts or feedback welcome
