Minimum Viable Configuration for Microsoft Sentinel

What is the the Minimum Viable Configuration (MVC) for Microsoft Sentinel aimed at protecting a small business (SMB), the setup steps, and the estimated costs.

Understanding the Goal of an MVC for Sentinel in an SMB Context

The goal isn’t to catch every sophisticated nation-state attack, but to provide fundamental visibility and detection for common threats targeting SMBs, such as:

1. Compromised Credentials: Detecting suspicious sign-ins, impossible travel, etc.
   

2. Malware/Ransomware: Leveraging endpoint protection alerts.
   

3. Phishing & Email Threats: Monitoring Office 365 activity.
   

4. Basic Cloud Misconfigurations/Anomalies: Using built-in cloud security alerts.

The MVC focuses on leveraging the security signals already generated by the Microsoft ecosystem (assuming the SMB uses Microsoft 365 and Azure AD).

Minimum Viable Configuration (MVC) Components

1. Azure Subscription: The foundation for all Azure services.
   

2. Log Analytics Workspace: The data repository where Sentinel stores and analyzes logs. Configured for Pay-As-You-Go pricing initially.
   

3. Microsoft Sentinel Instance: Enabled on top of the Log Analytics Workspace.
   

4. Core Data Connectors (Focus on Free/Included Tiers First):
   • Azure Active Directory (Entra ID):
     • Sign-in Logs (Requires Azure AD P1 or P2 license) – Crucial for credential compromise detection.
     • Audit Logs (Free) – Tracks admin activity.
       

     • Azure AD Identity Protection Alerts (Requires Azure AD P2 license) – High-fidelity alerts for risky users/sign-ins. If P2 isn’t available, rely more heavily on Sign-in log analytics.
   • Microsoft 365 Defender (Recommended if licensed): This single connector can ingest alerts from:
     
     • Microsoft Defender for Endpoint (if using MDE Plan 1/2 or Defender for Business)
       

     • Microsoft Defender for Office 365 (if using Plan 1/2)
       

     • Microsoft Defender for Identity (less common in pure SMB cloud setups)
       

     • Microsoft Defender for Cloud Apps
       

     • Benefit: Ingesting Alerts via this connector is often free.
   • Office 365 (Alternative/Supplement to M365 Defender):
     • Exchange Online & SharePoint Online audit logs (Standard Audit is generally free to ingest). Essential for tracking file access, mail rule changes, etc.
   • Azure Activity Log (Free): Tracks subscription-level events (creating VMs, changing settings). Important for basic Azure infrastructure security hygiene.
5. Essential Analytics Rules (Start with Templates):
   • Enable built-in Microsoft Security templates related to the connected data sources. Focus on:
     
     • Suspicious Azure AD Sign-in activity (Impossible travel, unfamiliar locations, logins from known malicious IPs).
       

     • Anomalous Office 365 activity (e.g., mass file downloads/deletions, suspicious inbox rule creation).
       

     • Alerts forwarded from Microsoft Defender products (e.g., Malware detected, phishing email reported).
       

     • Basic Azure activity anomalies (e.g., unusual resource creation/deletion).
6. Incident Management: Rely on the built-in Sentinel Incident queue for manual review and investigation.

What’s NOT in this MVC (to keep it minimal):

• Third-Party Data: No logs from non-Microsoft firewalls, servers, or applications initially.
  

• Advanced Analytics: No custom rules, machine learning models (beyond built-in ones), or complex threat intelligence feeds initially.
  

• SOAR/Automation: No automated response playbooks initially. Response is manual review and action.
  

• Extensive Workbooks/Dashboards: Rely on default views.
  

• Long Data Retention: Stick to the default or included retention (often 90 days free with Sentinel).

Setup Steps

• Prerequisites:

  • An Azure Subscription.
    

  • Appropriate Permissions: Contributor or Owner on the Azure subscription/resource group; Global Administrator or Security Administrator role in Azure AD/Microsoft 365 to authorize connectors.
    

  • Relevant Licenses: Microsoft 365 Business Premium (includes Defender for Business, Azure AD P1), M365 E3/E5, or standalone licenses (Azure AD P1/P2, Defender plans) are highly recommended for the data sources.

• Step 1: Create a Log Analytics Workspace

  1. Log in to the Azure portal (portal.azure.com).
     

  2. Search for “Log Analytics workspaces” and click “Create”.
     

  3. Choose your Subscription and Resource Group (create a new one if needed, e.g., RG-Security).
     

  4. Provide a Name (e.g., LAW-CompanyName-Security).
     

  5. Select a Region (choose one geographically close or with specific compliance needs).
     

  6. Select the Pricing Tier: Start with Pay-as-you-go.
     

  7. Review and Create.

• Step 2: Enable Microsoft Sentinel

  1. Search for “Microsoft Sentinel” in the Azure portal and select it.
     

  2. Click “Add” or “Create”.
     

  3. Select the Log Analytics Workspace you just created.
     

  4. Click “Add Microsoft Sentinel”. Deployment takes a few minutes.

• Step 3: Configure Data Connectors

  1. Once Sentinel is deployed, navigate to your Sentinel workspace.
     

  2. Go to Configuration -> Data connectors.
     

  3. Find and configure the following connectors (prioritize based on your licenses):
     
     • Azure Active Directory: Connect Sign-in logs and Audit logs. Requires authorization. If you have Azure AD P2, also connect Azure AD Identity Protection.
       

     • Microsoft 365 Defender: If you have relevant Defender licenses, connect this. It streamlines alert ingestion. Requires authorization. Configure it to sync alerts. This is often the most cost-effective way to get Defender alerts.
     • Office 365: If not using the M365 Defender connector for O365 data, or if you want raw logs beyond alerts, connect this. Select Exchange and SharePoint. Requires authorization.
       

     • Azure Activity: Connect this. It’s straightforward and free.
  4. For each connector, open its page, click “Open connector page”, and follow the specific prerequisites and configuration steps (usually involves ticking boxes and granting permissions).

• Step 4: Enable Analytics Rules

  1. In Sentinel, go to Configuration -> Analytics.
     

  2. Go to the Rule templates tab.
     

  3. Filter by Data Sources (e.g., Azure Active Directory, Office 365, Microsoft 365 Defender).
     

  4. Look for rules tagged Microsoft Security. These are often high-quality and maintained by Microsoft.
     

  5. Select relevant templates (e.g., “Sign-ins from IPs that attempt sign-ins to disabled accounts”, “Malware detection by Microsoft Defender Antivirus”, “Suspicious inbox manipulation rule”, “Impossible travel activity”).
     

  6. For each chosen template, click “Create rule”.
     

  7. Review the rule logic (you can accept defaults for MVC). Ensure it’s set to Enabled.
     

  8. Configure Automated response later; leave it empty for MVC.
     

  9. Create the rule. Start with 5-15 key rules covering identity, endpoint, and email threats.

• Step 5: Monitor Incidents

  1. Regularly (daily is recommended) check the Threat management -> Incidents blade in Sentinel.
     

  2. Review new incidents, assign them, investigate the alerts and entities involved, and close them with appropriate classifications.

Expected Monthly Costs

This is highly variable, but let’s break it down:

1. Log Analytics Ingestion:

   • Free Tier: Many security alerts ingested via the Microsoft 365 Defender connector and Azure Activity logs are free. Office 365 standard audit logs are also often free.
     

   • Paid Data: The primary cost driver will be paid data sources ingested. Azure AD Sign-in logs are a common paid source. The volume depends heavily on user count and activity.
     

   • Estimate: For a small business (e.g., 10-50 active users), ingesting only essential paid logs like Azure AD Sign-ins might result in 0.5 GB to 5 GB per month (this is a rough estimate). Some sources estimate ~1GB/month per 100 users for just sign-in logs, but activity varies hugely.
     

   • Cost: Log Analytics Pay-As-You-Go ingestion is roughly $2.76 per GB (price varies slightly by region, check current Azure pricing).

2. Sentinel Analysis Cost (Pay-As-You-Go):

   • Sentinel charges for analyzing the data ingested into Log Analytics. The PAYG rate is often similar to the Log Analytics ingestion rate, around $2.46 per GB (check current pricing).
     

   • Important: Data sources that are free to ingest into Log Analytics (like M365 Defender alerts, Azure Activity) are typically also free to analyze in Sentinel. You only pay Sentinel analysis costs on the paid data ingested into Log Analytics.

3. Log Analytics Retention:

   • The first 90 days of data retention are typically included free with Sentinel enabled.
     

   • Storing data beyond 90 days incurs a small storage cost (e.g., ~$0.12 per GB per month). For an MVC, sticking to 90 days is recommended.

Cost Summary Estimate for MVC:

• Scenario 1: Strict MVC using mostly FREE alert sources: If you rely heavily on the free ingestion from the M365 Defender connector (for endpoint/email alerts), Azure Activity, and standard Office 365 audit logs, and don’t ingest Azure AD Sign-in logs (or have very low volume), your direct Sentinel/Log Analytics costs could be very low, potentially $0 – $20 per month.
  

• Scenario 2: MVC including Azure AD Sign-in Logs: If you add Azure AD Sign-in logs (highly recommended for security), assuming 1-5 GB/month ingestion:
  
  • Log Analytics Ingestion: 1-5 GB * ~$2.76/GB = $2.76 – $13.80
    

  • Sentinel Analysis: 1-5 GB * ~$2.46/GB = $2.46 – $12.30
    

  • Total Estimated Direct Cost: Roughly $5 – $30 per month.

Crucial Caveats on Cost:

• Licensing Costs: This estimate does not include the cost of Microsoft 365 licenses (e.g., Business Premium, E3, E5) or standalone Azure AD P1/P2 licenses required to generate the security signals in the first place. These are often the larger part of the overall security spend.
  

• Data Volume Variance: Actual data volume can vary significantly based on user activity, configured logging levels, and enabled features.
  

• Pricing Changes: Azure pricing can change. Always refer to the official Azure pricing calculator for the most current information.
  

• Commitment Tiers: If data volume grows significantly (e.g., consistently over 100 GB/day, which is unlikely for this SMB MVC), Commitment Tiers for Sentinel and Log Analytics offer discounts but require upfront commitment.

In conclusion, a minimum viable Sentinel setup focusing on free alert ingestion and essential paid logs like Azure AD Sign-ins can be quite affordable for an SMB, likely falling in the $5 – $30 per month range for direct Azure consumption costs, plus the necessary Microsoft 365/Azure AD licensing costs. Remember that someone needs the time and basic knowledge to monitor the incidents generated.