Michael Kavka, R.J. O’Brien, Sr. Security Engineer
“Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage.”
Microsoft Azure Sentinel combines security information event management and security orchestration automated response functionality in one tool, making it much easier to have all security data and controls in one place. That consolidated platform simplifies monitoring, correlating, and automating security functions such as detections, alerting, and playbooks.
Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage. Both are important because they can have a big impact on the tool’s operational cost. Regarding data storage, Azure Sentinel defaults to holding log data for 30 days, which will be plenty for most companies. Some high-risk businesses that represent attractive targets, such as financial services firms, may want to hold data longer. The longer you store data, however, the more space it consumes, which increases costs.
The amount of data Azure Sentinel consumes also comes with costs, but you can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from other Microsoft security products, such as the Microsoft 365 Defender suite (Microsoft Defender for Endpoint [formerly
Microsoft Advanced Threat Protection], Microsoft Cloud App Security, and others). Monitoring these tools is easy: In the Azure portal, select Azure Sentinel, select Data connections, and then turn on the data connections for those tools. If you have a largely Microsoft environment and are using these tools, turning all that data on enables Azure Sentinel to provide you with a lot of visibility into what’s happening in your environment. It takes only a few minutes to start seeing results.
This is an excerpt from 7 Experts on Implementing Azure Sentinel. This eBook was generously sponsored by BlueVoyant.
