(Updated April 25th 2021)
While extensive, the Ninja training has to follow a script and cannot expand on every topic. Like any training, you may have questions after the session. This live blog post tries to address that by providing answers to common questions ordered by the Ninja training modules.
Q: How do I do a free-of-charge trial for Azure Sentinel?
There is no straight forward free trial for Sentinel:
There is, however, some usage that is always free, and you try to limit yourself to those to have a free POC:
So, how do I run a free PoC? Either of those:
Q: Is there a certification for Azure Sentinel? For the Ninja Training?
The new SC-200 exam (Microsoft Security Operations Analyst) covers also Azure Sentinel, which is 40% to 45% of the exam, alongside Microsoft Defender and Azure Defender, which are great complements. The SC-200 is not a Ninja Training certification, but the exam is largely based on Ninja Training materials, making it a good learning path for the certification.
Q: How can I send sample data?
For CEF (CommonEventLog) events stored in a file, you can use Logstash to read data from your CEF sample log file and send it directly into the Log Forwarder.
path => "/home/stefan/samplelogs/cef.log"
start_position => "beginning"
sincedb_path => "/dev/null"
# change to your log forwarder host and port
host => "127.0.0.1"
port => 514
Q: How can I have a direct link to the Azure Sentinel overview page? Any other page?
You don't need to get to Azure Sentinel through the Azure Portal every time. Just bookmark any page (or copy the URL) and use it to access your favorite starting point. The URL will have the following format, with the blade number changing based on the specific page you wanted to start with (line breaks added for calrity):
The usage information is available in the workspace, and you can use these queries to report or as a starting point for your reporting. The usage reporting workbooks for Azure Sentinel uses this information to provide a comprehensive view of usage.
Q: I used the pricing calculator, is this the actual cost I will pay?
The pricing calculator is a starting point. The following might imply your cost is actually lower:
Our official pricing is to charge for retention beyond 90 days for sources ingested for free. However, you may find that in some cases, we do not actually charge. While we may start charging for such retention in the future, we will not charge for past charges not collected.
Network communication between regions in Azure costs money, and the question is, how does this relate to Azure Sentinel?
Telemetry collected using an agent, the Log forwarder, or custom connectors using the ingest API, if the relevant source is not in the workspace region, would incur inter-region bandwidth costs.
However, service-to-service connectors, including Azure diagnostics sources, Office 365, and Microsoft 365 sources will not incur such costs even if the telemetry source is in a different region than the workspace. For example, if you collect telemetry from an Azure Firewall, there is no bandwidth charge regardless of the firewall region.
Please note that the Azure Sentinel documentation is incorrect and identity several agent-based sources such as DNS and Windows Firewall as service to service connectors.
Q: When I enable Azure Sentinel on an existing Log Analytics workspace, how does pricing change?
Q: Can Azure Sentinel capacity reservations be reserved for 1 year, 3 years?
No. Azure Sentinel capacity reservations are different from Azure reserved instances and behave like standard Azure meters, billed daily. They differ from pay-as-you-go pricing as they offer a lower per-unit price for reserving a larger amount of units.
Q: How does using Azure Defender affects Azure Sentinel pricing?
When collecting information from Azure Defender licensed nodes into an Azure Sentinel enabled workspace, 500MB/d per licensed node are deducted from the cost of certain log types from the Log Analytics price for the workspace, but not from the Azure Sentinel price. The list of relevant log types can be found here. Additional information on this allowance can be found in the Azure Defender pricing FAQ.
Q: Why is the pricing calculator using different capacity reservations for Log Analytics and Azure Sentinel?
Q: Does Azure Sentinel store all data locally?
While the official Azure data residency page mentions that Azure Sentinel is an exception and does not store all data within geography, Azure Sentinel does store data locally in a (growing) number of geographies as outlined here.
Q: On a Windows system with Defender for endpoints already installed, would you install the Log Analytics agent to report Security Events to Azure Sentinel as well?
In general, the answer is yes, but it would depend on the use cases. Windows events are wide in scope but broadly fall into two groups:
Q: How do I forward alerts from Azure Sentinel to another system?
See the Ninja training side-by-side section.
Q: How do I forward data, alerts, or events from my current SIEM to Azure Sentinel?
The most common way would be to use Syslog or CEF, which most SIEM products support. Note that you would like to forward from the 3rd party SIEM collector layer in many cases, which is more efficient than overloading the 3rd party SIEM processing layer.
The following links can get you started:
Q: Ticket System Integration? Is it ServiceNow only?
While ServiceNow is the most popular ticketing system and many of our examples are focused on it, Logic Apps, on which the integration is based, has connectors with other ticketing systems:
Q: How do I forward events from Azure Sentinel to another SIEM?
We do not recommend forwarding all events from Azure Sentinel to your on-prem SIEM. It may imply you are not getting enough value from Azure Sentinel and worth looking into.
In case you want to forward events (all of some), export from Azure Sentinel / Log Analytics to Azure Storage and Event Hub or move Logs to Long-Term Storage using Logic Apps.
Q: Is Azure Sentinel FedRAMP and DoD CC SRG certified?
Yes. See here.
Q: Are there known limitations to Azure Sentinel in Azure Gov?
You can find the known limitations of Azure Gov here.
Q: Best practice is to minimize the number of workspaces, but I want to split the bill. How do I do that?
Q: Are the best practices for Log Analytics and Azure Sentinel concerning workspace architecture the same?
Not always. Log Analytics and Azure Sentinel have different use cases and users, which sometimes require a different approach. If Azure Sentinel uses a workspace, use the Azure Sentinel best practices. Also, try to minimize the amount of data not relevant to Azure Sentinel in the workspace to avoid unnecessary costs.
As a reference, you can find the Log Analytics multi-workspace best practices here:
Q: Can I move the Azure Sentinel workspace to a different Resource Group of subscription?
While the feature is available for a Log Analytics workspace, we have not comprehensively tested moving an Azure Enabled workspace to a new subscription. Customers have done it before, and the one issue we encountered was that analytics rules do not work anymore, disabling and enabling the rules help. That said, there might be other issues, so the prudent solution would be to start over.
Note that the Log Forwarder is based on the Linux based Log Analytics Agent (MMA), so the questions in the next section, as far as they pertain to the Linux MMA, are relevant for the Log Forwarder as well.
Q: How do I set the Log Forwarder to listen to encrypted Syslog
Configure the Syslog server part of the Log Forwarder (rsyslog or Syslog-NG) to listen to TLS based Syslog:
Q: Can I filter Syslog of CEF events?
Q: Should I filter firewall events?
Unlike windows events, Firewall events are simple and of only a handful of types. The most common event types (using Palo Alto's terminology) are:
Both have significant value for your security but have a large volume and therefore cost. Preferably, all should be collected. Inbound failures are candidates for filtering out, as they include a huge volume of low quality attack attempts.
Q: What size VM should I use for the Log Forwarder?
The Log Forwarder does little itself as parsing is done in the cloud. Therefore, comparatively, smaller and cheaper systems can be used.
You can find official sizing information in the documentation.
In addition, recent reports from customers have suggested:
Use a VM scale set with an Azure load balancer or an on-prem load balanced to go beyond.
Q: Does the Log Forwarder cache information in case of a network outage?
Yes. See details here.
Q: Is the workspace key stored on the agent machine?
We don't store the workspace key. It's only used during onboarding to generate the certs used for on-going communications by the Agent. The Workspace ID is stored in a config file per workspace here: /etc/opt/microsoft/omsanget/ws-id.
Q: Can Azure Sentinel filter Windows Events?
The Log Analytics agent (MMA) offers limited control over the Windows events forwarded. You can set a collection tier for all agents. However, the common tier is often not enough for Azure Sentinel customers, especially as it has to be set for all agents.
The new Azure Monitoring Agent (AMA) can granularly filter Windows events using WEF like XPath expressions.
Q: Does the Agent compress data from on-prem to the cloud?
Yes, the Log Analytics agent (MMA) compresses data when sending it to the cloud. This is used for Syslog, CEF, and local Windows or Linux telemetry. For Linux, the agent uses Zlib compression. The lib compression ratio is typically between 2:1 to 5:1 and maxes out theoretically at 1032:1
Q: Are there limits to how many custom logs (i.e. files) the Log Analytics agent can collect
The Log Analytics agent can collect files located on the machine it is installed on. This feature is intended for collecting local files and not as a means for aggregated collection, for example replacing Syslog. It is therefore limited to 500 EPS (Events, or log lines, per second) and exhibits issues if attempting to collect and forwards higher rates. A common issue that happens at higher rates is event duplication. If you need to collect files at a high volume into Azure Sentinel, consider using Logstash as described here.
Q: Does the Log Analytics agent cache information in case of a network outage?
Yes. For the Linux agent see details here.
Q: Can I connect two workspaces using the Microsoft 365 defender connector? If so, does incident synchronization behave?
You can connect two workspaces to Microsoft 365 defender (M365D), and incidents will be synchronized between both workspaces and M365D. In practice, when you change status in one workspace, M365D will be updated, and on the next sync cycle (which occurs every 5 minutes), the other workspace will pick the changes.
Q: The Microsoft Defender for Office (Office ATP) connector does not collect all alerts. What can I do?
Specifically, you will find the relevant alerts under those record types:
Start your queries with the following snipper to get alerts of a specific type, substituting 28 for the other types above:
FAOfficeActivityALL_CL | where RecordType_d == "28"
Q: Does the Azure Information Protection connector support AIP Unified Labeling?
Yes. The same connector collects both AIP Classic and AIP Unified Labeling (UL) logs.
Q: The Teams connector does not support Teams Shifts audit. How can I collect it?
To collect Team Shifts alerts use the Office 365 custom connector and query for RecordType_d == "73".
Q: Which API does Azure Sentinel to collect CloudTrail events
The AWS CLoudTrail API LookupEvents end point.
input(type="imtcp" port="<TCP_PORT>" supportOctetCountedFraming="off")
Q: How can I learn about the schema of the tables in Azure Sentinel?
In general, schema references can be found in the reference section of the Azure Sentinel docs. Those are a few resources to start with:
Q: The log search is limited to 30K results; what can I do?
Indeed, there is a 30K cap on the result set size in the UI. There is usually not meaningful need to review so many results in the UI. The API, and hence PowerShell, can return up to 500,000 results. Use the PowerShell script to run a query and get the results in a CSV file.
If you still need more than 10K results in the portal:
Q: Which columns are displayed in a search result if not specifically projected?
Multiple heuristics determine which fields to display. Some common ones are:
Q: Can I delete unused custom log tables from a workspace?
The tables will disappear once empty. Use the purge API or wait for the retention period to end.
Standard fields include event time fields, record type, and billing information fields. See Standard properties in Azure Monitor Logs for more details.
Q: we can guarantee the data that has been ingested into Azure Sentinel cannot be tampered with?
Data in database storage cannot be altered once ingested but can be deleted using the purge API. Although data cannot be altered, some certifications require that data is kept immutable and cannot be changed or deleted in storage. Data immutability can be achieved using data export to a storage account that is configured as immutable storage.
Q: How often does Azure Sentinel Poll TAXII for new IOCs, and can this be configured?
This depends on the TAXII server. Generally speaking, if a well-formed TAXII server adheres to the standards, the TAXII data connector will pull the entire collection on the first connection and then pull only incremental changes every minute.
Q: What information from the TAXII server does Azure Sentinel pull
Currently, Azure Sentinel requests from the TAXII server and ingests only indicator STIX objects. We are planning the support of other STIX Domain Objects in the future. We perform a mapping from STIX to the ThreatIntelligenceIndicator table schema when we import the data.
Q: Is pagination supported in TAXII?
Yes, we support pagination. The TAXII server determines the size of the page. The TAXII server that you are connected to decides the number of IOC's to be returned in a request.
Q: Do we have specific IP addresses that we would use to pull this data into Sentinel?
While there are no specific IP addresses, they will be Azure IP addresses within the relevant workspace region. You can find the list of Azure IP addresses here (the list is dynamic).
Q: How do I use the confidence score associated with threat intelligence IoCs?
The confidence score is meant to convey the level of certainty the provider of the threat indicator feels the observations of the pattern in the indicator actually indicate the described threat. Keep in mind this number is always set by the provider of the indicator. The usefulness of this number is primarily for security investigators, as they can leverage this value to influence their urgency to respond to the threat. One could also author analytics rules that used this value to make determinations on alert severity, aggregation behaviors, etc., depending on higher or lower confidence values.
Q: Events in the CommonSecurityLog (CEF) tables include threat intelligence information. Where does it come from?
An internal process matches IP addresses from CEF logs to an internal Microsoft threat intelligence platform and extends rows with additional information when matches are found. If the customer believes this to be a false positive, they should open a support ticket.
Q: Do Watchlist support multiple workspaces?
A Watchlist can be used in queries only within the current workspace. You would need to create a copy of the Watchlist in each workspace or use an alternative lookup method as described here.
Q: Are there any restrictions to queries used in Azure Sentinel rules?
Azure Sentinel supports Log Analytics KQL queries; those may somewhat differ from Azure Data Explorer KQL queries.
Also, queries used in alert rules have the following limitations:
| extend AccountCustomEntity = your_value
| extend AccountCustomEntity = tostring(your_value)
| extend custom_details_temp = parse_json(ExtendedProperties)
| evaluate bag_unpack (custom_details_temp, "custom_")
| project custom_IncidentId = column_ifexists("custom_IncidentId", "")
Q: How can I learn about the schema of the tables in Azure Sentinel?
See the Log Management module FAQ above.
Q: Does Azure Sentinel support on-prem automation?
Yes. If the target on-prem system supports a rest API, the Logic Apps on-prem gateway can be used. To run any command on-prem, use Azure Automatin in conjuction with Logic Apps as described in the blog post: Automatically disable On-prem AD User using a Playbook triggered in Azure.
Q: Can I add custom Images to a workbook?
You can insert images in a markdown (text) steps in a workbook using the markdown image syntax. The text's content can also use workbook parameters if you want the paths to change based on parameter values.
Q: Can I embed videos in a workbook?
Not at this time, though animated images will work.
Q: How do I get a notification when a resource is updated?
Q: How are incidents updates when Microsoft alerts are updated?
When using Microsoft rules which create incidents directly from an alert from Microsoft products, Azure Sentinel handles updates for those alerts automatically:
Q: Any limit on number of comments for an incident?
Yes. You can add up to a 100 comments to an incident.
Q: It is not enough to block an Office 365 user when a breach is detected. How do I kill active sessions?
Q: Is there a reason to choose the MITRE attacks tactic in Sentinel for Hunting?
A hunting campaign has to start with a strategy – where do I hunt? This translates to filtering the hunting queries in Azure Sentinel and running the relevant queries to your starting point. A strategy that takes a specific MITRE tactic as a starting point is a popular one.
Q: How do I learn about service distruptions?
The Azure Services Status page should be your first place to look at. This page enables identifying issues in all the services supporting Azure Sentinel, including Log Anlaytics, Logic Apps and Azure Sentinel itself.
For more details on issues in Azure Monitor, refer to the Azure Monitor refer to the Azure Monitor Status blog.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.