This list does not change frequently but changes may happen. | summarize RecordCount = count(), TotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2)Īs second action in the flowchart, I recommend updating the code shown above with the possible Advanced Hunting tables that have been added to the “Microsoft 365 Defender” data connector in Sentinel. The code referenced in the first step of the flowchart is the following: To estimate the increment of Sentinel costs, I recommend doing the list of actions described in this flowchart: Please refer to the linked page to read the details of the licenses and tables included in the benefit. The increment of Sentinel costs due to this additional ingestion is strongly reduced, if not completely zeroed, by the Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers: at the time of this writing, customers get a data grant of up to 5 MB per user per day of Microsoft 365 data ingestion into Microsoft Sentinel. This data ingestion can be configured by activating the “Microsoft 365 Defender” data connector in Sentinel. Additionally, this ingestion enables access to this data for a much longer period than the 30 days available in Microsoft 365 Defender Advanced Hunting. This ingestion is highly recommended as it strenghtens the Microsoft Sentinel’s threat detection capability for customers using the services in Microsoft 365 Defender: just as a first evidence, at the time of this writing, there are more than 40 Analytic Rule templates in Sentinel that leverage the raw data coming from Microsoft 365 Defender. Recently a few customers asked me to estimate the increase of costs that they would see by enabling “raw data” (Advanced Hunting data) ingestion from Microsoft 365 Defender into Microsoft Sentinel. For more information on Microsoft Sentinel's threat intelligence analytic rules, see New Threat Intelligence features in Microsoft Sentinel - Microsoft Tech Community and Work with threat indicators in Microsoft Sentinel | Microsoft Learn.How to estimate the cost of Microsoft 365 Defender raw data ingestion in Microsoft Sentinel For more information on how to enable Analytic rule templates, see Microsoft Sentinel's built-in threat detection rules. Here, they can view the Microsoft Threat Intelligence Analytic rule template available to enable or disable (if already in use). Microsoft Sentinel users with appropriate permissions can access the "Microsoft Threat Intelligence Analytics" rule template by accessing the Analytics blade, navigating to Rule Templates, and searching "Microsoft Threat Intelligence." in the search bar. How to locate the "Microsoft Threat Intelligence Analytics" Analytic Rule template Users will need to filter by the Microsoft Threat Intelligence Analytics source to identify Defender TI phishing, malware, and article indicators that have generated incidents.įigure 1 – Threat Intelligence indicators, filtered by Microsoft Threat Intelligence Analytics source Therefore, the user can then view the indicator in their Microsoft Sentinel Threat intelligence blade and the associated incident in the Incidents blade. In that case, an incident will generate, and the indicator that triggered the incident will write to Sentinel's Threat intelligence table. Suppose there is a correlation between the Defender TI indicators and the user's logs. Microsoft Sentinel users with appropriate permissions can enable the "Microsoft Threat Intelligence Analytics" Analytic rule template, which will allow the correlation of Defender TI's threat intelligence phishing and malware feed indicators along with its' article indicators against the user's event logs in their Log Analytics workspace every hour. Microsoft Sentinel users can use Microsoft Defender Threat Intelligence (Defender TI) 's threat intelligence indicators to generate detections within Microsoft Sentinel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |