Listen to this Post
Microsoft Sentinel offers free data ingestion for various sources, with retention for the first 90 days. This feature is particularly useful for security teams looking to monitor threats without immediate cost implications. Below, we explore the key aspects of this offering, along with practical commands and steps for implementation.
Key Data Sources Eligible for Free Ingestion
- Defender for Server Plan 2 – 500 MB per VM per day for security logs:
– `SecurityAlert`
– `SecurityBaseline`
– `SecurityEvent`
– `WindowsFirewall`
– `SysmonEvent` -
Microsoft 365 E5/A5/F5/G5 Customers – 5 MB per user per day:
– Microsoft Entra ID (Azure AD) sign-in & audit logs
– Defender for Cloud Apps logs
– Microsoft Purview Information Protection logs
You Should Know: Practical Implementation
1. Enabling Sentinel Data Ingestion
To connect data sources to Microsoft Sentinel, use the following Azure CLI commands:
az monitor log-analytics workspace create --resource-group MyResourceGroup --workspace-name MyWorkspace az sentinel data-connector create --resource-group MyResourceGroup --workspace-name MyWorkspace --name "DefenderForCloud" --data-type "SecurityAlert"
2. Verify Ingested Data
Check logs in Sentinel using KQL (Kusto Query Language):
SecurityAlert | where TimeGenerated > ago(1d) | summarize count() by AlertName
3. Automate Log Collection with Sysmon (Windows)
Deploy Sysmon for enhanced logging:
sysmon -accepteula -i sysmonconfig-export.xml
(Download Sysmon config from SwiftOnSecurity’s GitHub)
4. Linux Server Log Forwarding
Use rsyslog to forward logs to Sentinel:
sudo apt-get install rsyslog echo ". @<YourWorkspaceID>.ods.opinsights.azure.com:25226" | sudo tee -a /etc/rsyslog.conf sudo systemctl restart rsyslog
5. Microsoft 365 Data Integration
Enable Office 365 logs via PowerShell:
Connect-ExchangeOnline -UserPrincipalName [email protected] Enable-OrganizationCustomization Set-ExecutionPolicy RemoteSigned
What Undercode Say
Microsoft Sentinel’s free-tier ingestion is a powerful tool for initial threat detection and log analysis. By leveraging Defender for Cloud and M365 integrations, teams can maximize visibility without upfront costs. For extended retention, consider Azure Archive Storage or tiered pricing post-90 days.
Expected Output:
- Verified log ingestion in Sentinel’s “Logs” blade.
- Alerts generated from `SecurityEvent` or `SecurityAlert` tables.
- Automated workflows triggering Sentinel Playbooks for incident response.
Relevant URLs:
References:
Reported By: Vladjoh Siem – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
