In 2020, when everything was in lockdown, I spent quite a lot of time in getting to know how to create a proof of concept for Azure sentinel, and show its value to the management. I found quite a lot of resources on the internet, and used many hours studying Microsoft security blogs to find out best ways of doing it. I will share my experience here, so that it is a bit easier for our colleagues in the community to implement it. The idea with this proof of concept is to show the following in action:
Security Orchestration & Automated Response
Advanced cyber threat detection
User Behavior Analysis (UBA)
Events and Alerts
To start, you must have Azure AD. Connecting onPremises AD via MMA will not work, because Sentinel will not have access to password-hashes and wont know if passwords were breached. Also, Azure AD will be important to test features like CASB etc.
Once you have AAD in place, you must make an architecture. It is to visualize how it will be implemented and how it will look like when it has gone live. It is possible that the POC will be extended to get into production on same tenant, so plan accordingly. For example, scoping around how many devices (onPrem & cloud) will participate in it. Which services to include in POC. If you are using O365, it will be obvious to include this as well, to see malicious links and attachments and getting alerted on it.
Since it is a POC, you can save some money on using Anomali as a TI feed. It offers free of cost threat intelligence and it can be used to correlate with IP addresses and URLs in logs.
If you are using any other Microsoft services like Intune, you can use it too. There are some advanced Microsoft services which offer 90 days free trial (for example AD premium license), which can easily be activated for this proof of concept.
Using most of the existing Microsoft cloud services will add to the benefits, while costs will be minimal. Azure sentinel offers 90 days free of cost data retention. When 90 days period is over, the data will be deleted. If you need to keep the data afterwards, you can use ADX to retain the data at cheaper rates. But 90 days should be enough for the proof of concept.
Once a few log-sources (including email, intune, AAD, VMs, etc) are connected, you can focus only on security logs and do not import performance logs. This should already be defined in the project scope, but important to keep in mind to reduce costs.
Now you can select and fine tune the rules that you need to get alerted on. Remember to automate a couple of response scenarios, like log on from a new location. It shows an excellent resource saving feature, that management will love.
I kept running proof of concept with all the above stated log sources, with a total cost of USD $26.00.
To keep this post readable, I have posted a few highlights. If there are any questions, or comments, please feel free :)