I’ve put together a quick introduction on Azure Sentinel to give you a better idea of what it is all about. I’ll show you how to connect services and create some rules to get you started. I also give you an idea of the costs of using the service (hint, it’s cheap!).
The direct video URL is – https://www.youtube.com/watch?v=XBXeFtrYaFI
If you find that no data is flowing into your Azure Sentinel workspace then check the data connectors as shown above. You should see that the Data types are connected and actual events are appearing.
If you actually Open connector page you should firstly see that the data source is connected (in the top right). In the lower left you should see the connected sources as well as the log counts. However, if you see no data then the most likely cause is that you have not completed the Configuration settings (here selecting Exchange and SharePoint option).
Another way to check is to select the Logs option on the left menu and then run an ad hoc query against some of the data sources as shown above. that should produce some low level logs that confirm data is being ingested.
Azure Sentinel Data Connectors have different configurations, so if you are not seeing any data inside Sentinel, check that you have all the configuration options enabled and connected inside each connector.
Here’s the slides from my longer presentation today at Ignite Copenhagen
Securely logging to Microsoft 365
Getting access to your information in Microsoft 365 starts with logging in but is it secure as it could be? Understanding security options at the point of entry like MFA, Legacy Authentication and Conditional Access on all devices is critical to keeping information protected as it is not only you that is trying to log into your account these days! Learn what security technologies you can add at login and the best practices approaches to configuring and monitoring these. Security starts at the doorway to Microsoft 365 and simple configurations can greatly reduce your risks of unauthorised access. Come and learn what can be done.
Every month when I receive my Azure bill I take a careful look at it to see if there is anything I can optimise. This month I saw that the top cost was from my Log analytics workspace as you can see above. This however was no surprise because it basically represents that amount of data that had been ingested from my remote workstations into Azure Sentinel for analysis.
When I looked at Azure Sentinel I can see that I am bringing in more performance logs than security events per day. Now the question is, am I really getting value from having that much ingestion of performance logging? Probably not, so I want to go and turn it down a notch and not ingest quite so much and hopefully, save me a few dollars.
To do this, I’ll need to log into the Azure Portal and then go to Log Analytics workspaces.
I’ll then need to select Advanced settings from the menu on the left.
First thing I checked was in Data, Windows Event Logs is that I’m only capturing the errors in the Application and System logs for the devices, which I was.
Next I went to Windows Performance Counters and adjusted the sample time limit. I have increased it to every 10 minutes for now to see what difference that makes. I could also remove or add certain performance counters here if I wanted but I wanted to work with the current baseline.
With all that done, I’ll wait and see what the cost differences are in next month’s invoice and adjust again if necessary.