Home

Azure Sentinel: Storage & design considerations

%3CLINGO-SUB%20id%3D%22lingo-sub-853659%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Storage%20%26amp%3B%20design%20considerations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-853659%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20thoughts%20on%20storage%20%26amp%3B%20cost%20from%20the%20customer%20perspective...%3C%2FP%3E%3CUL%3E%3CLI%3EIn%20the%20same%20way%20that%20the%20LA%20Design%20has%20been%20answered%20here%3A%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FBest-practices-for-designing-an-Azure-Sentinel-or-Azure-Security%2Fba-p%2F832574%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FBest-practices-for-designing-an-Azure-Sentinel-or-Azure-Security%2Fba-p%2F832574%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIn%20a%20recent%20example%20where%20we%20had%20enabled%20a%20number%20of%20firewall%20and%20proxy%20connectors%20we%20were%20quickly%20looking%20at%2080%20-%20100Gb%20a%20day%20that%20was%20going%20to%20translate%20into%20AUD%2410K%20a%20month%20based%20on%20only%20a%2030%20day%20retention%20period%20-%20this%20was%20going%20to%20be%20quite%20an%20impact%20on%20the%20cost%20of%20the%20PoC%20-%20but%20it%20also%20caused%20the%20Customer%20to%20have%20some%20reservations%20on%20whether%20or%20not%20to%20move%20forward%20with%20Sentinel%20based%20on%20unknown%20costs%20from%20Microsft%20%2B%20Storage%20costs...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20get%20similar%20ideas%20from%20a%20Storage%20perspective%20of%20how%20this%20*should*%20be%20designed%3F%3C%2FP%3E%3CP%3ESome%20initial%20thoughts%20are%3A%3C%2FP%3E%3CUL%3E%3CLI%3EOffice%20ATP%20%E2%80%93%20use%20free%20storage%2C%20just%20direct%20Alerts%20only%20to%20Sentinel%3C%2FLI%3E%3CLI%3EAzure%20ATP%20%E2%80%93%20use%20free%20storage%2C%20just%20direct%20Alerts%20only%20to%20Sentinel%3C%2FLI%3E%3CLI%3EDefender%20ATP%20%E2%80%93%20use%20free%20storage%2C%20just%20direct%20Alerts%20only%20to%20Sentinel%3C%2FLI%3E%3CLI%3EBluecoat%20-%20direct%20connector%20only%20to%20MCAS%3C%2FLI%3E%3CLI%3EPalo%20Alto%20-%20direct%20connector%20only%20to%20MCAS%3C%2FLI%3E%3CLI%3ECisco%20ASA%20-%20direct%20connector%20only%20to%20MCAS%3C%2FLI%3E%3CLI%3EMCAS%20-%20just%20direct%20Alerts%20only%20to%20Sentinel%3C%2FLI%3E%3C%2FUL%3E%3CP%3EOn%20the%20surface%20of%20it%2C%20this%20would%20likely%20reduce%20the%20storage%20needs%20in%20Sentinel%2C%20however%20it%E2%80%99s%20also%20likely%20that%20this%20will%20also%20reduce%20it%E2%80%99s%20effectiveness%20due%20to%20less%20data%20points%20and%20telemetry%3F%3C%2FP%3E%3CP%3EIt%20will%20also%20mean%20that%20any%20analyst%20will%20then%20have%20to%20fall%20back%20to%20jumping%20between%20consoles%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20or%20feedback%20welcome%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-860098%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%3A%20Storage%20%26amp%3B%20design%20considerations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-860098%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnderstand%20the%20concerns.%26nbsp%3B%20Pricing%20will%20be%20available%20at%20GA%20which%20should%20hopefully%20clear%20this%20up%20a%20bit.%26nbsp%3B%20For%20PoCs%20it%20really%20depends.%26nbsp%3B%20The%20customer%20should%20define%20use%20cases%2Frequirements%20they%20need%20to%20confirm%20the%20product%20does%20to%20move%20forward.%26nbsp%3B%20that%20might%20require%20ingesting%20all%20FW%20logs%20and%20be%20more%20expensive%2C%20then%20say%20ingest%20only%20the%20Free%20O365%20logs.%26nbsp%3B%20each%20customer%20is%20different.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20agree%20with%20alerts%20from%20the%20Microsoft%20solutions.%26nbsp%3B%20besides%20Office%20all%20security%20products%20are%20alerts%20only%20(minus%20MCAS%20shadow%20it).%26nbsp%3B%20but%20i%20would%20not%20agree%20with%20sending%20FW%2Fproxy%20logs%20to%20just%20MCAS.%26nbsp%3B%20for%20example%2C%20we%20have%20alerts%20that%20are%20built%20for%20FW%20and%20proxy%20logs.%26nbsp%3B%20you%20would%20be%20possibly%20limiting%20what%20you%20can%20detect%20in%20your%20environment.%26nbsp%3B%20or%20correlating%20alerts%20from%20those%20systems%20with%20alerts%20from%20other%20systems.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi All,

 

Some thoughts on storage & cost from the customer perspective...

In a recent example where we had enabled a number of firewall and proxy connectors we were quickly looking at 80 - 100Gb a day that was going to translate into AUD$10K a month based on only a 30 day retention period - this was going to be quite an impact on the cost of the PoC - but it also caused the Customer to have some reservations on whether or not to move forward with Sentinel based on unknown costs from Microsft + Storage costs...

 

Is it possible to get similar ideas from a Storage perspective of how this *should* be designed?

Some initial thoughts are:

  • Office ATP – use free storage, just direct Alerts only to Sentinel
  • Azure ATP – use free storage, just direct Alerts only to Sentinel
  • Defender ATP – use free storage, just direct Alerts only to Sentinel
  • Bluecoat - direct connector only to MCAS
  • Palo Alto - direct connector only to MCAS
  • Cisco ASA - direct connector only to MCAS
  • MCAS - just direct Alerts only to Sentinel

On the surface of it, this would likely reduce the storage needs in Sentinel, however it’s also likely that this will also reduce it’s effectiveness due to less data points and telemetry?

It will also mean that any analyst will then have to fall back to jumping between consoles?

 

Any thoughts or feedback welcome 

1 Reply

@David Caddick 

Understand the concerns.  Pricing will be available at GA which should hopefully clear this up a bit.  For PoCs it really depends.  The customer should define use cases/requirements they need to confirm the product does to move forward.  that might require ingesting all FW logs and be more expensive, then say ingest only the Free O365 logs.  each customer is different.

 

I agree with alerts from the Microsoft solutions.  besides Office all security products are alerts only (minus MCAS shadow it).  but i would not agree with sending FW/proxy logs to just MCAS.  for example, we have alerts that are built for FW and proxy logs.  you would be possibly limiting what you can detect in your environment.  or correlating alerts from those systems with alerts from other systems.

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies