SOLVED

What Logs To Monitor For Initial Sentinel Onboard

%3CLINGO-SUB%20id%3D%22lingo-sub-2342335%22%20slang%3D%22en-US%22%3EWhat%20Logs%20To%20Monitor%20For%20Initial%20Sentinel%20Onboard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2342335%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20have%20any%20recommendation%20what%20logs%20to%20monitor%20or%20best%20practices%20once%20Sentinel%20is%20enabled%20then%20what%20events%20we%20should%20focus%20on%3F%20Currently%20working%20on%20pricing%20but%20as%20we%20are%20sending%20logs%20from%20our%20own%20syslog%20server%20but%20then%20I%20want%20to%20filter%20it%20out%20from%20there%20%26amp%3B%20only%20send%20the%20logs%20to%20Sentinel%20which%20I%20think%20will%20be%20useful%20(source%20can%20be%20anything%20endpoint%2C%20dns%2C%20windows%20security%20events%20etc)%20so%20based%20on%20that%20volume%20we%20can%20estimate%20the%20cost.%20Is%20there%20any%20documentation%20I%20can%20follow%3F%3CBR%20%2F%3EAny%20suggestion%20would%20be%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2435965%22%20slang%3D%22en-US%22%3ERe%3A%20What%20Logs%20To%20Monitor%20For%20Initial%20Sentinel%20Onboard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2435965%22%20slang%3D%22en-US%22%3EIt%20all%20depends%20on%20what%20systems%20you%20have%2C%20but%20here%20are%20some%20good%20ones%20Azure%20Active%20Directory%20Identity%20Protection%3CBR%20%2F%3EAzure%20Active%20Directory%3CBR%20%2F%3EAzure%20Activity%3CBR%20%2F%3EAzure%20DDoS%20Protection%3CBR%20%2F%3EAzure%20Defender%3CBR%20%2F%3EAzure%20Firewall%3CBR%20%2F%3EAzure%20Information%20Protection%20(Preview)%3CBR%20%2F%3EAzure%20Key%20Vault%3CBR%20%2F%3EAzure%20Kubernetes%20Service%20(AKS)%3CBR%20%2F%3EAzure%20SQL%20Databases%3CBR%20%2F%3EAzure%20Storage%20Account%20(Preview)%3CBR%20%2F%3EMicrosoft%20365%20Defender%20(Preview)%3CBR%20%2F%3EMicrosoft%20Cloud%20App%20Security%3CBR%20%2F%3EMicrosoft%20Defender%20for%20Endpoint%3CBR%20%2F%3EMicrosoft%20Defender%20for%20Identity%20(Preview)%3CBR%20%2F%3EMicrosoft%20Defender%20for%20Office%20365%20(Preview)%3CBR%20%2F%3EOffice%20365%3CBR%20%2F%3ESecurity%20Events%3CBR%20%2F%3EThreat%20intelligence%20-%20TAXII%20(Preview)%3CBR%20%2F%3EThreat%20Intelligence%20Platforms%20(Preview)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2437204%22%20slang%3D%22en-US%22%3ERe%3A%20What%20Logs%20To%20Monitor%20For%20Initial%20Sentinel%20Onboard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2437204%22%20slang%3D%22en-US%22%3EI%20would%20start%20with%20the%20free%20connectors%20first%20-%20%3CBR%20%2F%3E-%20Azure%20Active%20Directory%20Identity%20Protection%20-%20Alerts%3CBR%20%2F%3E-%20Azure%20Activity%3CBR%20%2F%3E-%20Azure%20Defender%20-%20Alerts%3CBR%20%2F%3E-%20Microsoft%20Cloud%20App%20Security%20-%20Alerts%3CBR%20%2F%3E-%20Microsoft%20Defender%20for%20Endpoint%20-%20Alerts%3CBR%20%2F%3E-%20Microsoft%20Defender%20for%20Office%20-%20Alerts%3CBR%20%2F%3E-%20Office%20365%20Activity%20-%20Admin%20and%20audit%20logs%20(SharePoint%2C%20Exchange%2C%20OneDrive%2C%20Teams)%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20use%20the%20paid%20connectors%20next%2C%20use%20this%20query%20to%20keep%20track%20and%20stay%20under%20budget%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%2F%2FBillable%20data%20volume%20by%20data%20type%3CBR%20%2F%3EUsage%20%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(32d)%3CBR%20%2F%3E%7C%20where%20StartTime%20%26gt%3B%3D%20startofday(ago(31d))%20and%20EndTime%20%26lt%3B%20startofday(now())%3CBR%20%2F%3E%7C%20where%20IsBillable%20%3D%3D%20true%3CBR%20%2F%3E%7C%20summarize%20BillableDataGB%20%3D%20sum(Quantity)%20%2F%201000.%20by%20bin(StartTime%2C%201d)%2C%20DataType%20%7C%20render%20barchart%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Does anyone have any recommendation what logs to monitor or best practices once Sentinel is enabled then what events we should focus on? Currently working on pricing but as we are sending logs from our own syslog server but then I want to filter it out from there & only send the logs to Sentinel which I think will be useful (source can be anything endpoint, dns, windows security events etc) so based on that volume we can estimate the cost. Is there any documentation I can follow?
Any suggestion would be appreciated.

2 Replies
It all depends on what systems you have, but here are some good ones Azure Active Directory Identity Protection
Azure Active Directory
Azure Activity
Azure DDoS Protection
Azure Defender
Azure Firewall
Azure Information Protection (Preview)
Azure Key Vault
Azure Kubernetes Service (AKS)
Azure SQL Databases
Azure Storage Account (Preview)
Microsoft 365 Defender (Preview)
Microsoft Cloud App Security
Microsoft Defender for Endpoint
Microsoft Defender for Identity (Preview)
Microsoft Defender for Office 365 (Preview)
Office 365
Security Events
Threat intelligence - TAXII (Preview)
Threat Intelligence Platforms (Preview)
best response confirmed by John_Barbare (Microsoft)
Solution
I would start with the free connectors first -
- Azure Active Directory Identity Protection - Alerts
- Azure Activity
- Azure Defender - Alerts
- Microsoft Cloud App Security - Alerts
- Microsoft Defender for Endpoint - Alerts
- Microsoft Defender for Office - Alerts
- Office 365 Activity - Admin and audit logs (SharePoint, Exchange, OneDrive, Teams)

If you use the paid connectors next, use this query to keep track and stay under budget:

//Billable data volume by data type
Usage
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType | render barchart