Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Sentinel in Action

You're reading from   Microsoft Sentinel in Action Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions

Arrow left icon
Product type Paperback
Published in Feb 2022
Publisher Packt
ISBN-13 9781801815536
Length 478 pages
Edition 2nd Edition
Arrow right icon
Authors (2):
Arrow left icon
Richard Diver Richard Diver
Author Profile Icon Richard Diver
Richard Diver
Gary Bushey Gary Bushey
Author Profile Icon Gary Bushey
Gary Bushey
Arrow right icon
View More author details
Toc

Table of Contents (23) Chapters Close

Preface 1. Section 1: Design and Implementation
2. Chapter 1: Getting Started with Microsoft Sentinel FREE CHAPTER 3. Chapter 2: Azure Monitor – Introduction to Log Analytics 4. Section 2: Data Connectors, Management, and Queries
5. Chapter 3: Managing and Collecting Data 6. Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel 7. Chapter 5: Using the Kusto Query Language (KQL) 8. Chapter 6: Microsoft Sentinel Logs and Writing Queries 9. Section 3: Security Threat Hunting
10. Chapter 7: Creating Analytic Rules 11. Chapter 8: Creating and Using Workbooks 12. Chapter 9: Incident Management 13. Chapter 10: Configuring and Using Entity Behavior 14. Chapter 11: Threat Hunting in Microsoft Sentinel 15. Section 4: Integration and Automation
16. Chapter 12: Creating Playbooks and Automation 17. Chapter 13: ServiceNow Integration for Alert and Case Management 18. Section 5: Operational Guidance
19. Chapter 14: Operational Tasks for Microsoft Sentinel 20. Chapter 15: Constant Learning and Community Contribution 21. Assessments 22. Other Books You May Enjoy

Service pricing for Microsoft Sentinel

There are several components to consider when pricing Microsoft Sentinel:

  • A charge for ingesting data into Log Analytics
  • A charge for running the data through Microsoft Sentinel
  • Retention of data, past the initial 90-day default retention allowance
  • Charges for running Logic Apps for Automation (optional)
  • Charges for running your own machine learning models (optional)
  • The cost of running any VMs for data collectors (optional)

The cost of Azure Monitor and Microsoft Sentinel is calculated by how much data is consumed, which is directly impacted by the connectors: which type of information you connect to and the volume of data each node generates. This may vary each day throughout the month as changes in activity occur across your infrastructure and cloud services. Some customers notice a change based on their customer sales fluctuations, or when they come under a DDoS attack.

The pricing is also influenced by how long the data is retained within Microsoft Sentinel. The default is 90 days but can be extended to up to 2 years. Most security operations require between 6 and 12 months of hot data retention. After the set retention period, use Azure Data Explorer (ADX) to retain data for as long as required (up to 99 years).

The initial pricing option is to use Pay as You Go (PAYG). With this option, you pay a fixed price per Gigabyte (GB) ingested, charged on a per-day basis. Microsoft has provided the option to commit to varying volume tiers and receive discounts in return based on larger volumes of data.

It is worth noting that Microsoft has made available some connectors that do not incur a data ingestion cost. The data from these connectors could account for 10-20% of your total data ingestion, which reduces your overall costs. Currently, the following data connectors are not charged for ingestion (generally the free ingestion is for alerts only; some connectors do provide the full data ingestion). The details are here: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/#faq.

  • Azure Activity (activity logs for Azure operations)
  • Azure Active Directory Identity Protection (for tenants with Azure Active Directory P2 licenses)
  • Microsoft Information Protection
  • Microsoft Defender
  • Azure Security Center
  • Microsoft 365 Defender
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Office 365
  • Microsoft Defender for Identity
  • Office 365 audit logs (all Teams, Exchange admin, and SharePoint activity logs)

The pricing works by charging on a PAYG basis for each day, based on actual data consumption. There are capacity commitment tiers available to provide discount pricing when the volume of data ingested regularly reaches the reservation limits:

  • 100 GB
  • 200 GB
  • 300 GB
  • 400 GB
  • 500 GB
  • 1,000 GB (1 TB)
  • 2,000 GB (2 TB)
  • 5,000 GB (5 TB)

With capacity reservation, a fixed price is paid for the data each day at that tier, then charges are incurred at a PAYG price for each GB over that tier amount. The PAYG pricing is set to the same amount as the committed tier discount price. When you work out the calculations for the pricing tiers, it makes financial sense to increase to the next tier when you reach the point where the reservation is cheaper than paying PAYG pricing, which is between 50 and 80%.

For example, if you are ingesting an average of 130 GB per day, you will pay for the first 100 GB at a fixed price per GB, and then pay a PAYG price per GB for the additional 30 GB (example per day = $296). Now, if you increase your daily usage to 185 GB, you will save money by increasing your plan to the 200 GB option (example per day = $276) and paying for the extra capacity, instead of paying for the 100 GB (fixed) + 85 GB (PAYG) (total per day = $384.80).

When you look at the amount of data you are using, you may see a trend toward more data being consumed each month as you expand the solution to cover more of your security landscape. As you approach the next tier, you should consider changing the pricing model; you have the option to change once every 30 days.

The next area of cost management to consider is retention and long-term storage of the Microsoft Sentinel data. By default, the preceding pricing includes 90 days of retention. For some companies, this is enough to ensure visibility over the last 3 months of activity across their environment; for others, there will be a need to retain this data for longer, sometimes between 2 and 7 years depending on regulatory requirements in your country or industry. There are two primary ways of maintaining data long term, and both should be considered and chosen based on price and technical requirements:

  • Azure Monitor: This is the native storage for Microsoft Sentinel and provides a default hot storage option of 90 days, which can be upgraded to store the hot data for up to 2 years.

    Pros: The data is available online and in Azure Monitor, enabling direct queries using KQL searches, and the data can be filtered to only retain essential information.

    Cons: This is likely the most expensive option per GB compared to the other options.

  • Azure Data Explorer (ADX): This solution can maintain data indefinitely; pricing is based on a combination of the volume of data and the amount of compute required to carry out searching. Generally, this will be one-tenth of the cost of Microsoft Sentinel for long-term storage.

    Pros: The data is available online and in Azure, enabling direct queries using KQL searches. The data can be filtered to only retain essential information.

    Cons: This is a separate service and requires some initial configuration and integration effort for unsupported tables.

  • Other storage options: Cloud-based or physical-based storage solutions can be used to store the data indefinitely, usually enabled by sending data via Event Hubs or Azure Storage.

    Pros: Cheaper options are available from a variety of partners.

    Cons: Additional charges will be made if data is sent outside of Azure, and the data cannot be queried by Microsoft Sentinel. Using this data requires another solution to be implemented to query the data when required.

Each of these components is highly variable across deployments, so you will need to carry out this research as part of your design. Also, research the latest region availability and ascertain whether Microsoft Sentinel is supported in the various government clouds, such as in China.

You have been reading a chapter from
Microsoft Sentinel in Action - Second Edition
Published in: Feb 2022
Publisher: Packt
ISBN-13: 9781801815536
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image