As you deploy Microsoft’s cloud-native SIEM platform, Microsoft Sentinel, you want to employ best practices to support a cost-effective yet operationally effective implementation. A great way to optimize costs is to take advantage of some of the free Microsoft Sentinel benefits for Microsoft 365 E5.
Microsoft Sentinel Benefits for Microsoft 365 E5, A5, F5, and G5 Customers
As per earlier announcements from Microsoft, Microsoft 365 E5, A5, F5, and G5 and Microsoft 365 E5, A5, F5, and G5 Security customers are eligible for a data grant of up to 5 MB per user/ day. This is a welcomed offer seeing as previously, this was offered as a limited promotion.
Other than enabling clients to ingest data for free, this offer enables organizations to better evaluate their platform at a reduced cost. The consequence includes reduced monthly data costs.
The data sources included in the offer include:
Azure Active Directory (Azure AD) Sign-In and Audit Logs
Without accruing any costs, you can use Microsoft Sentinel’s built-in connector to collect data from Azure Active Directory. The connector will allow you to stream the following log types into Microsoft Sentinel.
These logs contain information on interactive user sign-ins where the user had provided their authentication factor. Additional Azure AD connectors that you could connect to Microsoft Sentinel still in preview include non-interactive user sign-in logs, managed identity sign-in logs, and service principal sign-in logs.
You can also connect to audit logs which contain all information surrounding system activity relating to the user and group management, directory activities, and managed applications.
An additional category of sign-in logs still in preview is provisioning logs. The latter contains system activity information for users, groups, and roles provided by the Azure AD provisioning service.
Note that an Azure Active Directory p1 or p2 license is required for you to ingest these sign-in logs.
Microsoft Defender for Cloud Apps Shadow IT Discovery Logs
Also included as a benefit of Microsoft Sentinel is the ability to configure Microsoft Defender for Cloud Apps connectors “Alerts” and “Discovery” logs. This should enable your IT security staff to easily identify any unsanctioned applications and users who’ve been using or trying to access prohibited applications within your ecosystem. The idea is to provide a baseline for further investigation and analysis. Note that you can create custom alerts once configured into Microsoft Sentinel.
Microsoft Information Protection Logs
Microsoft Information Protection, now referred to as Microsoft Purview Information Protection, enables organizations to protect sensitive documents and emails. This occurs by applying sensitive labels to each. That way, the compliance administrators can restrict user access.
For busy users, MIP tends to generate mountains of audit events which translates to an influx of information that administrators are expected to review and detect anomalies from. Fortunately, you can combine Information Protection with Microsoft Sentinel. The benefits include data visualization using Microsoft Sentinel’s Workbooks and execution of automatic responses with Microsoft Sentinel Playbooks. Further, the administrator receives prompt notifications when certain events happen.
Typically, you will need a paid Azure subscription to gain access to this benefit. This means you will be billed per MB ingested.
Microsoft 365 Advanced Hunting Data
An additional benefit your organization should yield is Microsoft 365’s Defender connectors letting users stream advanced hunting events into Microsoft Sentinel. You are now able to collect all the advanced hunting events from all Microsoft 365 Defender components and stream them right away into purpose-built tables within the Microsoft Sentinel workspace.
Administrators can also copy existing Microsoft Defender advanced hunting queries right into Microsoft Sentinel. By having access to the raw event logs, it is possible to not only pick up alerts and investigate but also correlate these to other data sources already within the workspace.
Microsoft Sentinel Free Data Sources
As highlighted, the Microsoft 365 data sources named above require a paid Azure license. On the other hand, the following data sources are always free for all Microsoft Sentinel users as an ongoing Microsoft Sentinel benefit.
Azure Activity Logs
The Azure Activity log is a platform that provides insight into subscription-level events. Information administrators gain from here includes that pertaining to which resources have been changed or the specific moment a virtual machine was booted up. All this information is available in the Azure portal. For additional functionality, you can have the activity log sent to Microsoft Sentinel. This means that your security personnel are better able to explore potential suspicious operations within your Azure environment, all for free. Besides, said team can proactively hunt for suspicious operations without you incurring any additional costs.
Office 365 Audit Logs
Office 365 audit logs are instrumental in that they collect large quantities of data from all the different workloads. These audit logs come in especially handy when investigating all tenant activities. You can take advantage of the built-in and custom connectors available on Microsoft Sentinel. Then, onboard all of your Office 365 audit logs and related workloads.
The benefit herein is that you get extensive reporting capabilities that help with analyzing all the connected data. Besides, you can still customize and change the different built-in workbooks for custom reporting.
An additional free data source on Microsoft Sentinel includes alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps.
You can use the in-built rules within Microsoft Sentinel to automatically create incident reports in real-time, all for free. Further, you can edit the rules on filtering the different security alerts picked up by the different Microsoft security platforms. For instance, you can filter the alerts to create incidents by alert severity.
Additional information on Microsoft free data sources can be found on the plan costs for Microsoft Sentinel web page.
Learn More About Free Microsoft Sentinel Benefits for Microsoft 365 E5
Are you looking to reduce costs and risk by implementing Microsoft Sentinel or replacing your existing SIEM/SOAR platforms? Agile IT can help you understand pricing, implementation, and automation. Be sure to contact us.