Forum Discussion

msef280's avatar
msef280
Copper Contributor
May 10, 2021

What Logs To Monitor For Initial Sentinel Onboard

Does anyone have any recommendation what logs to monitor or best practices once Sentinel is enabled then what events we should focus on? Currently working on pricing but as we are sending logs from o...
  • John_Barbare's avatar
    John_Barbare
    Jun 10, 2021
    I would start with the free connectors first -
    - Azure Active Directory Identity Protection - Alerts
    - Azure Activity
    - Azure Defender - Alerts
    - Microsoft Cloud App Security - Alerts
    - Microsoft Defender for Endpoint - Alerts
    - Microsoft Defender for Office - Alerts
    - Office 365 Activity - Admin and audit logs (SharePoint, Exchange, OneDrive, Teams)

    If you use the paid connectors next, use this query to keep track and stay under budget:

    //Billable data volume by data type
    Usage
    | where TimeGenerated > ago(32d)
    | where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
    | where IsBillable == true
    | summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType | render barchart
John_Barbare's avatar
John_Barbare
Icon for Microsoft rankMicrosoft
Jun 10, 2021
I would start with the free connectors first -
- Azure Active Directory Identity Protection - Alerts
- Azure Activity
- Azure Defender - Alerts
- Microsoft Cloud App Security - Alerts
- Microsoft Defender for Endpoint - Alerts
- Microsoft Defender for Office - Alerts
- Office 365 Activity - Admin and audit logs (SharePoint, Exchange, OneDrive, Teams)

If you use the paid connectors next, use this query to keep track and stay under budget:

//Billable data volume by data type
Usage
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType | render barchart

Resources