Great news! Earlier today, Microsoft announced the General Availability (GA) of Azure Sentinel which has been in public preview since earlier this year. Azure Sentinel is Microsoft’s initial attempt at building a cloud-SIEM and, through it, they enter in (direct) competition with solutions from Splunk and the likes.
If you missed out on the public preview and want to get some insights into Azure Sentinel, I suggest you take a look at this “getting started” guide from Microsoft. Also keep an eye on this blog as we’ll be sharing more information over the coming weeks and months.
Since its introduction, Azure Sentinel has already changed quite a bit. For example, Microsoft have replaced the initial dashboards with the more flexible Azure Workbooks –a huge improvement if you ask me. But that’s just one element. Whilst pretty dashboards can be of importance to some, to me, the biggest advantages of Azure Sentinel are:
- The speed at which it has evolved and gotten better
- Its ease-of-use (initial setup, configuration and management)
- Flexible approach (both in pricing and capabilities)
Ease of use
Azure Sentinel is extremely easy to deploy. It only takes minutes to set it up (connecting various data sources) and get data flowing in. Of course, that’s when the fun starts: because each environment is unique, you may want to build your own queries to search for and detect anomalies or signs of compromise in your environment. For this, Azure Sentinel (like Log Analytics) relies on the use of KQL (Kusto Query Language) which shares some similarities to SQL. It does require some getting used to, but you’ll be on your way in no time.
Extending Azure Sentinel to help you with automated incident response or integrating it with other tools and solutions (through Azure Logic Apps) is child’s play. Yes, there is an additional cost to run automation in Azure Logic Apps, but it’s a no-brainer compared to the potential thereof. For example, you can automatically trigger a playbook to create an alert in your ticketing system (we use Jira for that). That way, you don’t necessarily have to stare at “yet another dashboard” (in addition to all the other dashboards in Microsoft 365 + Azure).
With the general availability, also comes more information regarding pricing; one thing that remained a well-kept secret until now. There are two pricing-models:
- Pay-as-you-go; whereby customers not only pay for the underlying storage cost in Azure Log Analytics, but also pay per GB of analyzed data in Azure Sentinel. At time of writing, the price per GB is set to 2,08 EUR or 2.46 USD; more than fair.
- Capacity Reservations; which is aimed at larger environments that ingest large amount of data. In this case, you’re not billed for what you use, but rather pay a fixed fee based on the “tier” of consumption you are in. For the first 100GB of analyzed data (per day), you pay approx. 103.73 EUR (also per day). Moving up to the next tier (200GB per day), you pay 186.71 EUR per day, etc. Whilst these numbers may dazzle you at first, consider the computer power necessary to process these large amounts of data and you’ll see the pricing is fair and rather competitive. The main benefit of using capacity reservations, though, is the predictability of the price; something which is not the case in the pay-as-you-go model.
Data you ingest from Office 365, Microsoft Threat Protection Alerts and Azure Activity logs are ingested (and processed) for free. Beware that none of the price above include costs for storage or the ingestion thereof in Azure Log Analytics. Luckily, neither are very expensive.
Note: to prevent the cost for Azure Sentinel spinning out of control, it is worth considering a spending limit on the subscription or the resource. Whilst – under normal circumstances – your ingestion rate will be somewhat steady, you may encounter unexpected spikes when you are, for example, under attack. Obviously, don’t be too aggressive on the spending limit. Once you hit the limit data will stop being ingested and you’ll be sent back to the dark ages which your attackers will greatly appreciate!
More information on pricing is available here.
Cloud Control – Security
The Collective has deployed and used Azure Sentinel at various customers, including in our own SOC. In addition to using the built-in capabilities and queries, we’ve leveraged the flexibility of the platform to integrate it with (external) thread feeds which help us to proactively look for indications of compromise and processing of alerts.
If you’re interested to find out more, have a look at our Cloud Control-service or get in touch!