- Defender 21159 sentinel pro how to#
- Defender 21159 sentinel pro code#
In Azure Log Analytics/Microsoft Sentinel, you are already ingesting 2 MB per user per day on the tables relevant for the benefit (read from the workbook). The Microsoft 365 Defender Advanced Hunting tables would cause an increase in ingestion of 4 MB per user per day (read from the kql query). In the flowchart I’m showing this example: The amount that possibly exceeds the 5 MB per user per day is the increase of billable ingestion. With the result of the KQL query, the evidence of the workbook and some math, you can do a simple calculation to retrieve how many MB per user per day you are going to ingest, after the activation of the “Microsoft 365 Defender” data connector in Sentinel, on the Sentinel tables that are eligible for the Microsoft 365 E5, A5, F5, and G5 benefit. Once again, I recommend setting the “TimeRange” parameter in the workbook to a wide time interval (e.g. The list of tables returned by “union withsource=MDTables” can be retrieved with the following simple query:įinally, in my flowchart I recommend using the “Microsoft Sentinel Cost” workbook to get the total number of the already existing ingestion on the tables that are eligible for the Microsoft 365 E5, A5, F5, and G5 benefit. Please note that, in the query shown above, I’m explicitly listing all the Advanced Hunting tables to be included in the union instead of using “union withsource=MDTables” because this last “one row” KQL statement returns a list of tables which does not coincide completely with the tables that are ingested in Sentinel. I recommend running the above query on a wide time range (e.g., 30 days): The updated list of the Microsoft 365 Defender Advanced Hunting tables that are ingested in Sentinel can be retreived in the “data connector page”: Just as an example, at the time of this writing we expect to have soon in Sentinel also the new “UrlClickEvents” table that was very recently added in Microsoft 365 Defender Advanced Hunting. This list does not change frequently but changes may happen. Defender 21159 sentinel pro code#
| summarize RecordCount = count(), TotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2)Īs second action in the flowchart, I recommend updating the code shown above with the possible Advanced Hunting tables that have been added to the “Microsoft 365 Defender” data connector in Sentinel. The code referenced in the first step of the flowchart is the following: To estimate the increment of Sentinel costs, I recommend doing the list of actions described in this flowchart: Please refer to the linked page to read the details of the licenses and tables included in the benefit.
The increment of Sentinel costs due to this additional ingestion is strongly reduced, if not completely zeroed, by the Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers: at the time of this writing, customers get a data grant of up to 5 MB per user per day of Microsoft 365 data ingestion into Microsoft Sentinel. This data ingestion can be configured by activating the “Microsoft 365 Defender” data connector in Sentinel. Additionally, this ingestion enables access to this data for a much longer period than the 30 days available in Microsoft 365 Defender Advanced Hunting. This ingestion is highly recommended as it strenghtens the Microsoft Sentinel’s threat detection capability for customers using the services in Microsoft 365 Defender: just as a first evidence, at the time of this writing, there are more than 40 Analytic Rule templates in Sentinel that leverage the raw data coming from Microsoft 365 Defender. Recently a few customers asked me to estimate the increase of costs that they would see by enabling “raw data” (Advanced Hunting data) ingestion from Microsoft 365 Defender into Microsoft Sentinel.
Defender 21159 sentinel pro how to#
How to estimate the cost of Microsoft 365 Defender raw data ingestion in Microsoft Sentinel
0 kommentar(er)
