![]() ![]() "title": "Sources and Ports (Sum of Bytes) ", "query": "let data = externaldata (ServiceName:string, PortNumber:int) \nwith(ignorefirstrecord=true) \nnetflow_CL \n| where isnotempty(netflow_l4_dst_port_d) \n| where netflow_l4_dst_port_d != 0 \n| summarize Sum = sum(netflow_in_bytes_d) by netflow_l4_dst_port_d \n| extend Port = toint(netflow_l4_dst_port_d) \n| join ( \ndata \n ) on $left.Port = $right.PortNumber \n | extend ServicePort = tostring(Port) \n | project ServicePort, Sum \n \n \n ", "query": " netflow_CL \n | where isnotempty(netflow_ipv4_dst_addr_s) \n | summarize Sum = sum(netflow_in_bytes_d) by netflow_ipv4_dst_addr_s \n | project-rename DestinationIP = netflow_ipv4_dst_addr_s ", "title": "Destinations and Ports (Sum of Bytes) ", "query": "let data = externaldata (Decimal:int, Keyword:string) \nwith(ignorefirstrecord=true) \nnetflow_CL \n| extend NetflowProtocol = toint(netflow_protocol_d) \n| summarize Sum = sum(netflow_in_bytes_d) by NetflowProtocol \n| join ( \ndata \n ) on $left.NetflowProtocol = $right.Decimal \n | project-rename Protocol = Keyword \n | project Protocol, Sum \n ", "resourceType": "microsoft.operationalinsights/workspaces ", "timeContextFromParameter": "TimeRange ", "query": "netflow_CL \n| summarize Sum = sum(netflow_in_bytes_d) by netflow_ip_protocol_version_d \n| extend IPVersion = iff(netflow_ip_protocol_version_d = 4, \"4 \", iff(netflow_ip_protocol_version_d = 6, \"6 \", \"Unknown \")) \n| project IPVersion, Sum ", "title": "IP Version and Protocols (Sum of Bytes) ", "resourceType": "microsoft.operationalinsights/workspaces " Standing up and using Microsoft Sentinel has always been and always should be easy. What I mean by that is that when planning a new Microsoft Sentinel deployment or adjusting an existing one to incorporate the new potentially cost-saving measures, focus first on what Microsoft Sentinel already provides – which is already amazing with the low ingestion costs, free 90-day retention for all data, commitment tier savings for ingestion, and no cost for queries with full access to KQL – and also maybe incorporate the new Archived Logs feature to store data longer than the free 90 days for compliance and audit purposes. But Basic Logs should be used as just another tool and a tool that’s employed after-the-fact. With Basic Logs you give up the ability to create Analytics Rules (alerts are not supported), KQL language access is limited and there’s a charge for interactive queries ( $0.005/GB-scanned), the supported log types are limited ( see the FAQ), and the data from these log files can only be stored as active or “hot” data for 8 days at a time.įor those instances where Basic Logs makes sense, this option is hugely valuable. Using Basic Logs for these enormous logs, there’s a clear cost advantage because it cuts the normal price almost in half at $1.00 per GB ( 50% Log Analytics charge and 50% Sentinel charge). They are not something you would generally want to ingest on a constant basis particularly when the regular Analytics Logs ingestion cost is around $2.00-$2.50 per GB depending on the Azure region being used. The logs intended for Basic Logs are massive in size. That will probably come from device or user activities, possibly through monitoring Security events, Office or Defender alerts. ![]() Netflow or Storage logs are probably not going to provide the first sign that you have an issue. When you need to surface and expose the data in those types of logs, it’s because you have identified that a critical situation already exists, and you need the data from those logs to confirm the suspicious activity and to add additional context to the investigation. When you are tasked with looking through those log files, its generally not as part of a Hunting operation. Many customers may never need or use this option.Ĭonsider those massive log files like Netflow or Storage services. Basic Logs has very specific use cases and very specific limitations. So, I believe this feature requires some clarification.īasic Logs can be a definite cost-saving measure, but many customers are attempting to include it in general Microsoft Sentinel planning. While these resources provide some great information – particularly the additional information included in the FAQ – there continues to be confusion over the Basic Logs option.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |