Entities missing in Incidents
Hello, Entities are not showing on any of the incidents in Sentinel. Although, I have mapped the entities correctly for each alert. I have the same alerts and entities mapping on other tenant and it shows entities there. What could be the issue? Update: I raised the support ticket to microsoft. Issue has been resolved by Microsoft. It was a misconfiguration from the backend.
Analytic rules, KQL queries and UEBA pricing
Hi, I am interested if there is any additional cost when talking about Log Analytics Workspace (without Sentinel) when it comes to running KQL queries? Are there any "data processing" costs that occur or is it free in that sense? On this link https://azure.microsoft.com/en-us/pricing/details/monitor/ I didn't see any mention of "data processing costs", Microsoft only mentions "Log data processing" feature name "Log data ingestion and transformation" but writing KQL queries is not data transformation in that sense -> https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations When talking about Sentinel, should I expect larger bill if I enable 50-500 Analytic rules from Sentinel templates or content hub? Do these or custom analytic rules occur any additional "processing" costs? On this link https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/ Microsoft only mentions "Search jobs". I assume Analytic rules and issuing KQL queries fall into category search jobs. What if someone is not using Sentinel but only Log Analytics Workspace and writing KQL queries? Since this (search jobs) is not mentioned on https://azure.microsoft.com/en-us/pricing/details/monitor/ is documentation just not up to date and this same search job price applies to KQL queries in Log Analytics deployments without Sentinel? Microsoft states UEBA doesn't cost any additional money. Is it truly no additional cost or some cost will occur since it processes data from Audit Logs, Azure Activity, Security Events and SignIn Logs tables, namely as described by "search jobs"?FinOps In Microsoft Sentinel
Microsoft Sentinel's security analytics and operations data is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data analyzed in Microsoft Sentinel and stored in the Log Analytics workspace. The cost of both is combined in a simplified pricing tier. Microsoft 365 data sources are always free to ingest for all Microsoft Sentinel users: Billable data sources: Although alerts are free, the raw logs for Microsoft Endpoint Defender, Defender for Cloud Apps, Microsoft Entra ID sign in and audit logs, and Azure Information Protection (AIP) data types are paid: Microsoft Sentinel data retention is free for the first 90 days. Enable Microsoft Sentinel on an Azure Monitor Log Analytics workspace and the first 10 GB/day is free for 31 days. The cost for both Log Analytics data ingestion and Microsoft Sentinel analysis charges up to the 10 GB/day limit are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant • By default, all tables in your workspace inherit the workspace's interactive retention setting and have no archive. • You can modify the retention and archive settings of individual tables Azure Monitor Logs retains data in two states: - Interactive retention: Lets you retain Analytics logs for interactive queries of up to 2 years. - Archive: Lets you keep older, less used data in your workspace at a reduced cost. • You can access data in the archived state by using search jobs, restore and keep data in archived state for up to 12 years • Its very important for cost management in MS Sentinel when you define short data retention period, but firstly go in Log Analytics WS | Workbooks | Workspace Usage in order to see tables size Use this workbook to analyze the the sizes of the different tables in your workspace: Where can save your money? Ingestion • Carefully plan what data is sent into your Microsoft sentinel workspace • Utilize filtering mechanisms to reduce ingestions to what the SOC needs • Set daily cap (good for PoC scenarios but not recommend for production) Retention • Send data to other storage platforms that have cheaper storage costs (Azure blob storage, Azure data explorer) Compute • Shutdown Azure machine learning compute during off hours, consider using reserved instances pricing • Set quotas on your subscription and workspaces • Use low-priority virtual machine (VM) Bandwidth • Sending data across Azure regions might incur into additional costs Ingestion planning • Analyze your data sources and decides what data is needed by your SOC for detection, investigations, hunting and enrichment. Take use-driven approach • Plan your workspace design • Existing workspaces might be ingesting data not needed by the SOC • Consider using separate workspace for Microsoft Sentinel • When possible enable Defender for Servers on the same workspace where you enable Microsoft Sentinel, you get 500 MB of free data ingestion per day • If you configure your Log Analytics agent to send data to two or more different Log Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion for each workspace. Retention • Microsoft Sentinel retention is charged ($0.1/GB/month) and can become a big portion of the Microsoft Sentinel cost • 1.2 TB/day ingestion with 1-year retention (East US list prices) Ingestion: ~ $89К/month Retention: ~ $33К/month • If you require more than 90 days retention, determine if you need it for the whole workspace or just some tables • Consider using other storage platform for long storage retention (Azure blob storage, Azure data explorer) Long term retention options: • Azure blob storage • Cheaper than Microsoft sentinel retention • Difficult for query • Ideal for audit/compliance purposes Azure Data explorer Stores security logs in Azure Data Explorer on a long-term basis. Minimizes costs and provides easy access when you need to query the data and stores most of the data in the cold cache, minimizing the computing cost. Log Analytics doesn't currently support exporting custom log tables. In this scenario, you can use Azure Logic Apps to export data from Log Analytics workspaces. Because Azure Data Explorer provides long-term storage, you can reduce your Sentinel retention costs with this approach and ideal for forensic investigation and hunting on older data Can achieve up to 75% saving on retention costs Instead of using Azure Data Explorer for long-term storage of security logs, you can use Storage. This approach simplifies the architecture and can help control the cost. A disadvantage is the need to rehydrate the logs for security audits and interactive investigative queries. With Azure Data Explorer, you can move data from the cold partition to the hot partition by changing a policy. This functionality speeds up data exploration. Bandwidth Sending telemetry from one Azure region to another can incur in bandwidth costs this only affect Azure VMs that send telemetry across Azure regions data sources based on diagnostics settings are not affected not a big cost component compared to ingestion or retention Example: 1000 VMs, where each generates 1GB/day, sending data from US to EU: 1000 VMs * 1GB/day *30 days/month*$0.05/GB =$1.500/month Ingestion Cost Alert Playbook Managing cost for cloud services is an essential part of ensuring that you get maximum value for your investment in solutions running on this computing platform. Azure Sentinel is no different. To help you exercise greater control over your budget for Azure Sentinel this playbook will send you an alert should you exceed a budget that you define for your Azure Sentinel Workspace within a given time-frame With the ingestion cost alert playbook, you can set up an alert based on the budget defined in your Microsoft Sentinel workspace within a given timeframe. Ingestion Anomaly Alert Playbook This playbook sends you an alert should there be an ingestion spike into your workspace. The playbook uses the series_decompose_anomalies KQL function to determine anomalous ingestion The Workspace Usage Report workbook The Workspace Usage Report workbook provides your workspace's data consumption, cost, and usage statistics. The workbook gives the workspace's data ingestion status and amount of free and billable data. You can use the workbook logic to monitor data ingestion and costs, and to build custom views and rule-based alerts. This workbook also provides granular ingestion details. The workbook breaks down the data in your workspace by data table, and provides volumes per table and entry to help you better understand your ingestion patterns. Azure pricing model – based on volume of data ingested User Entity Behavior Analytics Approximately 10% of the cost of logs selected for UEBA Reduce To change your pricing tier commitment, select one of the other tiers on the pricing page, and then select Apply. You must have Contributor or Owner role in Microsoft Sentinel to change the pricing tier costs for Microsoft Sentinel Useful links: Tools that are related to FinOps on Azure Sentinel (Azure Pricing Calculator, Azure Cost Management, Azure Advisor, TCO Calculator, Azure Hybrid Benefit Savings Calculator) https://techcommunity.microsoft.com/t5/fasttrack-for-azure/the-azure-finops-guide/ba-p/3704132 Manage and monitoring Costs for Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs Reduce costs for Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs Ingestion Cost Spike Detection Playbook https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-spike-detection-playbook/ba-p/2591301 Ingestion Cost Alert Playbook https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-alert-playbook/ba-p/2006003 Introducing Microsoft Sentinel Optimization Workbook https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/introducing-microsoft-sentinel-optimization-workbook/ba-p/3901489
Logstash collector vs UEBA and Exploration queries
Hello, When using the official and supported Logstash output to ingest events from a WEC server, the table is not named `SecurityEvent` (gets `_CL` appended) and the fields are all appended with their types (due to the LogAnalytics API, documented behaviour). This breaks features such as the Exploration Queries (to pivot from investigation blade) which all expect the table to be named `SecurityEvent` with specific fields. Do you plan to allow to create SecurityEvent table with proper fields through your official Logstash output or do you plan to allow to define mapping so that we could define that SecurityEvent table is corresponding to (example) Windows_CL and that field `EventID` is mapped to `EventID_d` (mapping to be defined by contributor for all fields required by UEBA/Exploration Queries)? Best regardsInconsistent entity information
I'm trying to use a playbook trigged by an analytics rule to automate sending an approval email for things like a new device being registered to a user or MFA settings being changed. When the playbook is triggered I seem to get inconsistent entity information from the incident, for example sometimes "accountname" only shows first.last and sometimes accountname is the full UPN which is what I want and what's specified in the analytics rule. Because of this the playbook fails later when I try to use the accountname for other things. How can I get this to be consistent?Sentinel Assitance - KQL Query
Hey! Looking for assistance with creating a KQL query that can look at members of approx. 15 dynamic security groups and identify if they have any SharePoint site permissions across a tenant. My assumption is that the query will include a join between IdentityInfo and OfficeActivity but I'm not even sure the information I'm looking for will be in the OfficeActivity table. Thanks, Brandon
Sentinel Entity Query Templates
Hello, I've been trying to write a script for enabling Microsoft Sentinel Entity Behavior templates via API and I'm stuck. I'm using this API call to get all the templates https://docs.microsoft.com/en-us/rest/api/securityinsights/preview/entity-query-templates/list?tabs=HTTP, but I cannot figure out, how to see if any of these activities are already enabled. I've tried Listing and Getting specific Entity with https://docs.microsoft.com/en-us/rest/api/securityinsights/preview/entity-queries/get?tabs=HTTP, but I do not get a property "templateName", I also tried older versions of the API. I've tried comparing "queryTemplate" in Entities with "queryDefinitions.query" in EntityTemplates. No luck. How can I automatically enable entity query templates that aren't in use? ThanksEUBA - Active Directory (Preview)
All, We have a few activity rules which rely on specific SID of well know groups etc. It is unclear to me which source is needed to enable those activity rules. There is also a preview for Active Directory, but in Microsoft docs I do not see any information besides toggle the option to On 🙂 I have the following questions: What will be ingested when you enable the Active Directory (preview)? In which UEBA tables? Which activity rules rely on the Active Directory (preview) data source? UEBA also relies on security events ingestion, we ingest those events already from our domain controllers with the common setting. 4. Will there be an overlap of security events which will be ingested? AND From Defender we also ingest the following 3 tables into Sentinel IdentityLogonEvents; IdentityQueryEvents; IdentityDirectoryEvents. Is this an overkill or is there a best practice available when you utilize all these data sources from you Domain Controllers? Regards Arjan
