Sentinel Log Volume vs Defender Log Volume
Dear community, we're currently building up our first SOC service and wondering about the costs (not realy, we know that SIEM is expencive, but we don't understand the log volumes). We started with sentinel and enabled the XDR connector with all log sources (Device information, Defender for Identity etc). If we take a look into the LAW and log volumes for those tables, we've an ingest as shown in the following exibit: BUT, in comparison, we did a cost analysis with the real defender information (from Defender portal). We come to an estimated log volume from approx. 45GB (and usually billable around 25GB, because the customer has E5 licenses, which should include the AADNonInteractiveUserSignInLogs table (5MB/user/day for free) We're asking ourself why we got this differences in comparison to the last few days, shown in the exibit (attention: we started with a daily ingest cap, so the daily ingest would be around 90 - 100GB/day). Where is our mistake/lag of knowledge? Here are the KQL, sent wihtin the Defender portal to get the volumes from there AlertInfo | union AlertEvidence | summarize RecordCount = count(), AlertTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) EmailEvents | union EmailUrlInfo | union EmailAttachmentInfo | union EmailPostDeliveryEvents | union UrlClickEvents | summarize RecordCount = count(), MDOTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) IdentityLogonEvents | union IdentityQueryEvents | union IdentityDirectoryEvents | summarize RecordCount = count(), IDTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) DeviceInfo | union DeviceNetworkInfo | union DeviceProcessEvents | union DeviceNetworkEvents | union DeviceFileEvents | union DeviceRegistryEvents | union DeviceLogonEvents | union DeviceImageLoadEvents | union DeviceEvents | union DeviceFileCertificateInfo | summarize RecordCount = count(), MDETotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) CloudAppEvents | summarize RecordCount = count(), CAppsTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) Thanks a lot! Best & have nice a nice easter :-)Cribl o Logstash vs AMA CEF: What’s the Best Choice for Ingesting Firewall Logs?
Hi everyone, what are the advantages of using Cribl or Logstash over a CEF log collector via AMA for ingesting firewall logs such as Palo Alto for example into Microsoft Sentinel? In a typical scenario, how would you configure the ingestion to optimize performance, scalability, and cost? What do you think? Let’s discuss and share experiences!
Feed data location to run against Sentinel's KQL function
Hi, We have a feed consisting of around 250,000-300,000 entries and will be imported daily. We do not intend to store this data in Sentinel as a table and would like to store it somewhere else (Cosmos, storage, etc.) from where we can grab this data and run it against one of our Sentinel's KQL functions to generate Alerts. Planning to use Logic Apps/Functions to do the above actions. But would like to know what would be the right solution here so that comparing the feed data against KQL function results would be fast and not of high cost Thank you !!
Defender advanced hunting, data-grant from Defender for Servers licensing.
Hi, when configuring Defender for Servers P2 in Defender for Cloud it states that you would be granted a 500 MB per day free ingestion to a log analytics workspace, such as in Sentinel. However, when looking into the supported data sources I do not find the advanced hunting data that would be my first go-to data source when setting up Sentinel, how come? Here is a screenshot of how data-ingestion changed once i turned on the XDR connector, am I to understand that the 500MB ingestion per device we're paying for will do nothing to cover this cost? The E5 grant of 5MB/user/day is nowhere near this amount of data. Is there a way to utilize the 500MB ingestion per device grant for the advanced hunting data?
Linux AMA log ingestion filtering specific logs
I had previously applied ingestion time data transformation for few incoming logs in syslog table when I was using MMA agent for linux. Now I am moving to AMA for Linux servers. How do I apply specific log filtering on AMA for linux logsources? such as if ip is 1.1.1.1 and it contains err logs, drop them. I know it is possible in windows DCR but how can I built same DCR for linux in AMA to filter out them.AMA agent DCR log filtering
Hi, I have previously created KQL queries for ingestion time transformation and was filtering out certain event ids and few other logs (e.g. | where not(EventID == 4799 and CallerProcessName contains "C:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe") ) . Now I have almost 80+ filtering KQL queries which I have applied on securityEvent table to filter out specific logs. I have shifted my servers from MMA agent to AMA agent and AMA agent has its down DCR and my existing ingestion time transformation won't work now. I need to create xpath queries in new DCR. Is there anyway I can convert all of the existing ingestion time transformation applied KQLs (example already mentioned above)? OR Do I need to create separate DCRs for AMA to filterout specific events which are 80+?SAP Data Connector - Sentinel
Hi Community, we are using SAP Data connector for Sentinel for one Month. According to Microsoft the connector charges for production environments 2 $ per hour after 1. May. Our SAP Environment is a Demo and it can be also viewed at the T000 Table. We have seen that the connector has started to charge us for three days (it is also not understandable because it is supposed to charge us from the beginning of the month, if the environment type has been read as Production and we have not changed anything in the infrastructure). It is also displayed in the Connector page as Demo. As a result i had to stop Agent and it stopped to charge. I couldnot find the reason, is there anybody who uses the this connector with demo SAP env. I appreciate your answers. Thank you in advance.How to use Defender for Cloud App with cost optimization for both environment ( Dev and Prod )
Hi All, I have two subscriptions 1. Development and 2. Production. In the Dev subscription, I have a lot of resources like about 20 storage accounts and 12 app service plans and 4 Azure SQL and etc. As you know, Defender for Cloud is subscription level, therefor If I enable it on a Dev subscription the cost should be more expensive. But in the Prod environment, I will enable Defender for Prod's resources. Now, I want to know how can I use Defender for Dev's resources with minimum cost or what's the best solution or best practice for this issue. My idea is to use Prod security recommendations for the same resources in the Dev environment. Is there another idea?Analytic rules, KQL queries and UEBA pricing
Hi, I am interested if there is any additional cost when talking about Log Analytics Workspace (without Sentinel) when it comes to running KQL queries? Are there any "data processing" costs that occur or is it free in that sense? On this link https://azure.microsoft.com/en-us/pricing/details/monitor/ I didn't see any mention of "data processing costs", Microsoft only mentions "Log data processing" feature name "Log data ingestion and transformation" but writing KQL queries is not data transformation in that sense -> https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations When talking about Sentinel, should I expect larger bill if I enable 50-500 Analytic rules from Sentinel templates or content hub? Do these or custom analytic rules occur any additional "processing" costs? On this link https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/ Microsoft only mentions "Search jobs". I assume Analytic rules and issuing KQL queries fall into category search jobs. What if someone is not using Sentinel but only Log Analytics Workspace and writing KQL queries? Since this (search jobs) is not mentioned on https://azure.microsoft.com/en-us/pricing/details/monitor/ is documentation just not up to date and this same search job price applies to KQL queries in Log Analytics deployments without Sentinel? Microsoft states UEBA doesn't cost any additional money. Is it truly no additional cost or some cost will occur since it processes data from Audit Logs, Azure Activity, Security Events and SignIn Logs tables, namely as described by "search jobs"?
