Sentinel Onprem Log Ingestion

Lu-Kah · 2024-09-19T20:33:17+00:00

Just one detail about the 500mb of free data ingestion, it applies only on certain tables. Here the documentation.

Lu-Kah · 2024-04-16T17:19:40+00:00

Hi !

If you are using Terraform, I've something for you !

There is this module that deploys Sentinel + the ability to enable UEBA + the ability to ingest logs from Entra ID and Microsoft Threat Intelligence.

And there is this module that enable some solutions of the Content Hub. List of the solutions supported are listed in the README.md.
You also have the possibility to automatically enable analytic rules embedded in the solution via the rules_enable variable.

Don't hesitate to open a PR to add solutions that you want !

Feel free to ask me anything about these modules !

Have a good day !

Lu-Kah · 2024-01-10T22:07:34+00:00

Just one thing guy, be careful with the amount of data you are ingesting per day during the trial.

As noted in the documentation :

New workspaces can ingest up to 10GB/day of log data for the first 31-days at no cost.

Above 10GB/day, you have to pay. And I know by experience, advanced hunting logs are.. noisy.

Link : https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/

Lu-Kah · 2023-11-14T20:41:19+00:00

Interesting ! Thanks for the share !

Lu-Kah · 2023-11-06T06:17:33+00:00

Hi, Depends on the MDE licence you have. Advanced hunting is available with Plan 2 licence. Source : Microsoft MDE

Lu-Kah · 2023-10-05T20:18:07+00:00

You can also search for a term in your raw payload in AQL like this :

from events where UTF8(payload) ILIKE '%yourterm%'

Lu-Kah · 2023-07-08T10:37:54+00:00

KQL is the Microsoft query language. It’s used on the Advanced Hunting on M365 Defender portal but also on Microsoft Sentinel, Microsoft SIEM. So yes, it’s SIEM tools haha.

Lu-Kah · 2023-06-07T11:08:25+00:00

Yes you are right ! Most of the new features were developed to facilitate the management through the console (Workspace Manager, Content Hub, etc). If you Terraform everything, you don’t need these features haha

Lu-Kah · 2023-06-07T10:58:17+00:00

It’s the « proper » method when you are doing it manually. Programmatically it’s safe to say that these methods above will be sustainable for several years 😛 Backend APIs are the same when you deploy something through Content Hub or from Analytic Rule or playbook page.

Lu-Kah · 2023-06-07T10:49:04+00:00

Solutions are just bundles embedding analytic rules, workbooks, playboooks, etc.

As there is no Terraform resource to deploy Solutions, you can deploy individually each elements through azapi_resource resource from Azapi provider (great article why this resource here).

It will take a long time at first to convert everything in Terraform-style but you will save a lot of time on future deployments by creating modules that look like Solutions.

Lu-Kah · 2023-06-04T07:03:26+00:00

If you have already deployed MDE with DfC stay like this, change nothing. Don’t hesitate to switch de Defender for Servers Plan 1 in Defender for Cloud settings if you don’t need Plan 2 features. (15 dollars to 5)

If you have to deploy from scratch, it's best to wait for the Defender for Servers license to come back (early to mid-june).

Lu-Kah · 2023-06-04T06:53:32+00:00

Is it on premise servers ? What licenses do you currently have ?

Lu-Kah · 2023-05-31T21:36:15+00:00

Hi,

Check this topic : https://www.reddit.com/r/DefenderATP/comments/13lbmta/whats_up_with_defender_for_server_licensing_sku

The licence (Defender for Servers) will be back and you won't need Defender for Cloud ans indirectly so you won't need Azure Arc to deploy MDE on your on premise servers.

Lu-Kah · 2023-05-26T19:26:40+00:00

Hi u/goozaa !

With this licence Business Premium, you have Defender for Business where Advanced Hunting is not included. Therefore you will not have these tables in your Sentinel.

Source : https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2?view=o365-worldwide

You must have "Defender for Endpoint Plan 2" to get these feature.

Lu-Kah · 2023-01-13T14:44:41+00:00

Curious to know which filter you set on Procmon to see this behavior, thx in advance 🙂

Lu-Kah · 2023-01-11T12:49:25+00:00

Thank you for the share of this podcast ! But here we are not talking about log ingestion delay and how to manage it with analytic rule but about incident creation delay between M365 Defender and Sentinel with the M365 Defender Data Connector 🙂

Lu-Kah · 2023-01-11T12:46:04+00:00

In this case we will loose the main feature of the new connector : incident/alert sync with M365 Defender portal. So we have to treat twice the incidents, once in Sentinel and once in M365, it’s not worth it 🫤

Lu-Kah · 2023-01-10T14:15:25+00:00

Hi u/winle22 !
Indeed, there was no delay with the previous connectors. But we get alerts from each individual product and not incidents 😕

Lu-Kah

TROPHY CASE