Periodically I’m asked about my own demo/testing environment for Azure Sentinel. These questions come from both customers and colleagues alike. I’m asked things like what steps do you follow, which connectors/rules to enable, and of course, how much does it cost?
Being a Microsoft employee, many people think we get carte blanche on Azure services. That’s not true. We have to be very mindful about costs, too.
Here’s the steps I use to deploy my own Azure Sentinel instance should I need to recreate my environment:
- Stand-up Sentinel. (Log Analytics workspace – set to defaults for retention)
- Connect all the Connectors for Microsoft services (and follow details for setting each up correctly) – particularly all the free ingestions (Azure Activity Logs, Office 365 Audit Logs, Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection). Also Azure Active Directory (for SigninLogs).
- Enable all applicable Analytics Rules. (Essentially, if I’ve enabled the Data Connector, I’ll enable all associated rules – accepting the default schedules/thresholds, etc.)
- Enable all applicable Workbooks (again, if I have a Data Connector enabled, I also want the applicable Workbooks)
- Deploy applicable Playbooks from our GitHub repo (aka.ms/ASGitHub) Some of my suggested favorites: Block AAD User, Get IP Reputation, Quarantine VM, Get GEO for IP, HaveIBeenPwned.
- Spin up a couple Azure VMs and deploy the Azure Monitor agent. (At least 1 Linux server and 1 Windows workstation)
- Deploy the agent to at least one on-premises test machine (I use my own laptop), and I also have Endpoint Manager/Intune connected for DATP and the Intune logs to monitor Android and iOS.
Let it bake for about 12 hours.
If I’m careful, this setup costs a little less than $150 a month. Sometimes it might cost a bit more because I’m ingesting customer data to develop KQL queries for them. But, in general, I roll in under the $150/month.
Anything I’m missing? Additional questions? Let me know.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
You must log in to post a comment.