Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Operations

Steps to Create a Cost Worthy Azure Sentinel Demo/Testing Environment

Azure Sentinel News Editor by Azure Sentinel News Editor
December 28, 2020
in Security Operations
0
Microsoft introduces integrated Darktrace-a-like, Azure Sentinel
3.0kViews
322 Shares Share on Facebook Share on Twitter

Periodically I’m asked about my own demo/testing environment for Azure Sentinel. These questions come from both customers and colleagues alike. I’m asked things like what steps do you follow, which connectors/rules to enable, and of course, how much does it cost?

Being a Microsoft employee, many people think we get carte blanche on Azure services. That’s not true. We have to be very mindful about costs, too.

Here’s the steps I use to deploy my own Azure Sentinel instance should I need to recreate my environment:

  1. Stand-up Sentinel. (Log Analytics workspace – set to defaults for retention)
  2. Connect all the Connectors for Microsoft services (and follow details for setting each up correctly) – particularly all the free ingestions (Azure Activity Logs, Office 365 Audit Logs, Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection). Also Azure Active Directory (for SigninLogs).
  3. Enable all applicable Analytics Rules. (Essentially, if I’ve enabled the Data Connector, I’ll enable all associated rules – accepting the default schedules/thresholds, etc.)
  4. Enable all applicable Workbooks (again, if I have a Data Connector enabled, I also want the applicable Workbooks)
  5. Deploy applicable Playbooks from our GitHub repo (aka.ms/ASGitHub) Some of my suggested favorites: Block AAD User, Get IP Reputation, Quarantine VM, Get GEO for IP, HaveIBeenPwned.
  6. Spin up a couple Azure VMs and deploy the Azure Monitor agent. (At least 1 Linux server and 1 Windows workstation)
  7. Deploy the agent to at least one on-premises test machine (I use my own laptop), and I also have Endpoint Manager/Intune connected for DATP and the Intune logs to monitor Android and iOS.

Let it bake for about 12 hours.

If I’m careful, this setup costs a little less than $150 a month. Sometimes it might cost a bit more because I’m ingesting customer data to develop KQL queries for them. But, in general, I roll in under the $150/month.

Anything I’m missing? Additional questions? Let me know.

Reference: https://azurecloudai.blog/2020/09/01/steps-to-create-a-cost-worthy-azure-sentinel-demo-testing-environment/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Security Operations

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

January 25, 2021
What’s new: Microsoft Teams connector in Public Preview
Security Operations

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
Security Operations

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

January 1, 2021
Next Post
Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Microsoft improves Azure’s security to protect your business

How to Enable the Microsoft Teams Public Preview for Azure Sentinel

Microsoft Debuts Azure Sentinel SIEM, Threat Experts Service

Azure Sentinel Event Grouping is in Public Preview

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft Azure AD Gains Machine Learning Hooks To Detect Sneaky Password Spray Attacks

Microsoft Azure AD Gains Machine Learning Hooks To Detect Sneaky Password Spray Attacks

4 months ago
The ‘All-Seeing’ Azure Sentinel Provides Omnipresent Level Security

Microsoft announces a slew of security enhancements for Azure

3 months ago
Microsoft’s John Thompson and VMware’s Sanjay Poonen share a similar view of the security landscape

Microsoft’s John Thompson and VMware’s Sanjay Poonen share a similar view of the security landscape

3 months ago
Enriching Windows Security Events with Parameterized Function

How to Link to Related Workbooks within the Current Azure Sentinel Workbook

2 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News