AZURE SENTINEL FAQ
Q: Can we migrate our existing SIEM infrastructure to Azure Sentinel?
A: Yes. Managed Sentinel can help your organization with the initial build of the Azure Sentinel SIEM, configure the log sources to feed into Azure Log Analytics and with related migration tasks. Your existing SIEM use cases can be ported into Azure Sentinel and Managed Sentinel can provide the expertise.
An Azure Sentinel SIEM deployment is usually completed within 2-3 weeks. Our customers typically start with a Proof of Concept (PoC) deployment, analyze the results and then initiate a full solution deployment.
Q: What are the costs of deploying Azure Sentinel SIEM?
A: Azure Sentinel costs are based on the following paid Azure services:
1. Log Analytics – Provides storage and retention of logging data. Pricing is based on GB/month. The estimated monthly costs for different volumes of data are as follows:
5GB per month are included free of charge. The default log retention is 31 days. SIEM Sizing Calculator can be used for a more detailed estimate for EPS and GB/Month. For full pricing details see Azure Monitor pricing.
2. Logic Apps – used for automation workflows, such as Azure Sentinel alerts and playbooks. Microsoft pricing structure is per action and per invoked connector. Currently Microsoft provides a comprehensive list of connectors starting from Azure functions and APIs, email and scheduler to more complex one like ServiceNow integration.
|Alerts per day||10||20||30||40||50||55|
|# Connectors – Standard||5||5||5||5||5||5|
|# Connectors – Enterprise||1||1||1||1||1||1|
|Azure Logic Apps Costs/month||$0.63||$1.27||$1.90||$2.85||$3.17||$3.58|
The monthly price for deploying and using Logic Apps is not significant and their versatility provides the customers with a wide range of options for reporting, alerting and orchestration around Azure Sentinel alerts. Some enterprise-level, more sophisticated connectors may have a higher cost.
3. Azure Sentinel service costs – Currently, May 29th, 2019, Azure Sentinel is in Preview mode. This is still in beta phase and final price has not been released yet. Considering Microsoft’s general approach on pricing cloud services, we estimate that the price will be very competitive, aligned within the Azure pricing model. Final pricing will be announced soon and posted here.
4. Initial deployment (and migration from an on-premise SIEM) – This is the effort associated with the initial build of the Azure Sentinel, onboarding of log sources, creation of log parsers and configuration of alerts and playbooks. The true value of a SIEM deployment relies on implementing an effective way of evaluating the value of use cases and continuous tune-up and review. Managed Sentinel provides support for the full development lifecycle of SIEM use cases, including regular reviews, KPIs and updates based on latest research on the SIEM marketplace.
5. On-going management – This is the effort required for daily support of the Azure Sentinel, monitoring of log sources and on-going alerts tune-up and is covered by monthly SIEM management fee charged by managed SIEM providers. As Azure Sentinel is a cloud-based service, there are no charges for the SIEM appliance maintenance such as appliance health, availability, upgrades and patches. This allows for a better use of the SIEM investment as all efforts go towards building and maintaining use cases rather than keeping the lights on for hardware appliances.
6. Internet bandwidth – Based on Microsoft pricing structure there are no fees for inbound traffic (traffic towards Azure) and only traffic related to downloads and alerts will be charged. This type of traffic is minimal so accessing dashboards on Azure Sentinel and receiving alerts and reports have little financial impact. Here is the pricing structure for bandwidth consumption. Considering that the logging data has to be sent to Azure Sentinel, there will be some usage of the existing Internet bandwidth but in most cases with organizations with a cloud presence, there should be enough bandwidth capacity.
Q: Our company has made a significant investment in several security tools and technologies deployed on-premises. Can Azure Sentinel SIEM be used in this situation?
A: Azure Sentinel provides agents for Windows and Linux endpoints and syslog-based collectors for network and security appliances. The agents allow the collection of a variety of logs including Windows Event Logs, IIS logs, performance counters, Linux authentication logs any many others. The agents can be deployed using standard software deployment tools such as Microsoft SCCM. The syslog collector can receive any type of syslog data and forward it to Azure Sentinel log storage platform (using a Log Analytics workspace).
Log Analytics is priced based on GB/Month so an increase in logging volume translates in increased monthly costs. Managed Sentinel can advise on the value of logging data, review the use cases, alerts and playbooks and help customers achieve a good balance of log storage costs vs. actionable intelligence extracted from those logs.
For syslog data, we advise our customers to keep a copy of the logs on-premises (on the syslog server configured for Azure Sentinel). This can act as a backup and if the data sent to Azure Sentinel is limited in order to keep the costs within the budget, as a repository of all logging data. The text files used by regular syslog servers are highly compressible so they can be archived on regular basis and use very little hard disk space.
The Sentinel syslog connector can receive data in CEF logging format. When the CEF format is detected, the Sentinel backend stores the parsed data (based on the fields identified in the logging data) in the CommonSecurityLog table. All the other syslog messages are sent to the Syslog table, with just the timestamp and the syslog message as fields. If the syslog data requires extraction of data, it has to be done at search time and it can penalize the search performance. To avoid this, Managed Sentinel can deploy its own agent, based on Elastic Stack Logstash or open-source Fluentd. The Managed Sentinel agent can be configured as a hub for all on-premises devices logging, parse the logs and select only the relevant fields and events and forward to Azure Log Analytics, via an encrypted channel. This option will optimize your volume of logs and bandwidth consumption, even before going out from your network.
Q: My company has a log retention policy of 6 months online/1 year offline. How will a Cloud SIEM address this?
A: By default, Microsoft offers a 31-days log retention in Azure Log Analytics platform. The price for log retention in Azure Log Analytics is fully detailed on Microsoft’s website. The following table describes the monthly fee for different log sizes and the prices are in Canadian Dollars.
|Azure Log Analytics Retention Costs/month||$7.68||$26.88||$53.76||$80.64||$107.52||$161.28|
|6 months Log Retention||$46.08||$161.28||$322.56||$483.84||$645.12||$967.68|
Many organizations chose to deploy an on-premises Syslog service that is used for cost-effective log retention. Using a SIEM platform as a log retention platform is not always the most effective method and it can lead to very high SIEM licensing costs. Managed Sentinel can advise on various log retention strategies
Q: I am using Office 365 for my corporate email. How can I get visibility into Office 365 audit logs?
A: Azure Sentinel provides a built-in Office 365 connector. The following article describes how Office 365 can be configured to generate the relevant logging data. Azure Sentinel provides an Office 365 dashboard where you can see some relevant info related to Office 365. Managed Sentinel has developed several use cases (alerts + playbooks) that can be used for Office 365 security incident alerting and investigation.
Q: How much data will move from on-premises to Cloud? Should I be concerned with bandwidth consumption?
A: The volume of data moving to Cloud and the Internet bandwidth consumption on the customer premises varies based on number of events collected, the size and type of events, and time of day. Each customer is different, and it will be difficult to estimate the traffic without additional details.
Managed Sentinel consultants can work with your team to understand the environment (network topology, current technologies, and current security challenges), decide on what log sources are relevant for SIEM analysis, and construct the proper parsers to extract the essential information to be sent to Azure Sentinel. We let our customers know the size, complexity and costs before we do start the work. The initial phase of the project, information gathering, and high-level design is essential to each SIEM deployment.
Q: My company is using AWS as Cloud Provider. Can I use Azure Sentinel SIEM?
A: Yes, Azure Sentinel has a data connector for AWS CloudTrail Log, which will allows log collection from the AWS platform directly into Azure Log Analytics. Azure Sentinel has a built-in parser for AWS traffic, so the on boarding is relatively simple. Managed Sentinel team can assist with the integration process.