Marcus Burnap - Microsoft Security - Sentinel - Defender XDR

Share this post

Marcus Burnap - Microsoft Security - Sentinel - Defender XDR
Marcus Burnap - Microsoft Security - Sentinel - Defender XDR
Money Money Money - Understanding Microsoft Sentinel's Log Management
Copy link
Facebook
Email
Notes
More

Money Money Money - Understanding Microsoft Sentinel's Log Management

A Deep Dive into Analytic, Basic, and Archive Logs

Marcus Burnap
and
José Lázaro Pinos
Dec 19, 2023
1

Share this post

Marcus Burnap - Microsoft Security - Sentinel - Defender XDR
Marcus Burnap - Microsoft Security - Sentinel - Defender XDR
Money Money Money - Understanding Microsoft Sentinel's Log Management
Copy link
Facebook
Email
Notes
More
Share

When managing security logs, especially in large-scale IT environments, the cost implications of using Microsoft Sentinel's different log types are crucial to understand. Microsoft Sentinel, a sophisticated SIEM platform, offers various types of logs, each tailored to specific needs and cost structures.

Microsoft Sentinel offers different types of logs, each with its own pricing and usage scenarios, which can significantly impact your cost management strategy.

Thanks for reading Marcus Burnap - Microsoft Security - Sentinel - Defender XDR! Subscribe for free to receive new posts and support my work.

Let's delve into these types and discuss how they can align with your organization's security and budgetary requirements.

Questions

Before you go further please take a note of your answers to these 5 questions. Understand where you are now, and how you can drive progression!

How are you currently managing security log costs, and could the tiered pricing structure of Microsoft Sentinel offer more cost-effective solutions for your organization?

Considering the types of logs your organization primarily deals with, would Basic Logs' lower cost and limited capabilities meet your needs, or would the more comprehensive Analytic Logs be more beneficial despite their higher cost?

Does your organization have a strategy for long-term log retention, and how could the Archive Logs in Microsoft Sentinel align with this strategy?

Have you explored tools like the Cost Analysis screen in Azure for better visibility and control over your security log costs?

Are you utilizing budgeting and alert features in Azure to manage and monitor the costs associated with security log management effectively?

Analytic vs. Basic vs. Archive Logs: Cost Implications

  1. Analytic Logs: These are the primary log type in Microsoft Sentinel, offering full analytics capabilities without query limits. They are best used for proactive monitoring, with scheduled alerts and analytics. There are two main pricing options for Analytic Logs: Pay-As-You-Go and Commitment Tiers. With Pay-As-You-Go, you are billed per gigabyte (GB) for the volume of data ingested for security analysis. Commitment Tiers offer a fixed fee based on the selected tier, providing discounts compared to Pay-As-You-Go pricing​​.

  2. Basic Logs: Introduced to offer a more cost-effective solution for ingesting high-volume, verbose logs with limited security detection value, Basic Logs are billed at a flat rate per GB. They have reduced querying capabilities, an eight-day retention period, and don't support scheduled alerts. They are ideal for use in playbook automation, ad-hoc querying, and investigations​​​​.

  3. Archive Logs: These are for long-term log retention and do not fall under the 'hot storage' category. While specific cost details for Archive Logs are not explicitly mentioned in the sources, they are typically used for data that does not require immediate analysis or frequent access.

Cost Management and Monitoring

  • Commitment Tiers and Simplified Pricing: Microsoft Sentinel offers simplified pricing tiers that combine data analysis costs for Microsoft Sentinel and ingestion storage costs of Log Analytics into a single pricing tier. This approach simplifies the overall billing and cost management experience​​.

  • Cost Analysis Tools: Microsoft Sentinel provides tools and features to manage and monitor costs. For example, the Cost Analysis screen in Azure allows you to view detailed charts of your daily costs, apply filters to view costs associated with Microsoft Sentinel specifically, and use Kusto queries to understand your data ingestion volume​​.

  • Budgets and Alerts: You can create budgets to manage costs and set up alerts to notify stakeholders of spending anomalies or overspending risks. These budgets can be created for Azure subscriptions and resource groups, offering granularity in your cost monitoring strategy​​.

Overall

It's clear that each log type has its unique place in the grand scheme of data management and security analytics. Here's a concise wrap-up:

  1. Analytic Logs: The High-End Choice

    • Characteristics: Analytic Logs in Microsoft Sentinel are the high-performance option, offering unrestricted use in analytic rules, workbooks, and hunting queries.

    • Use Case: They are the go-to for high-value security data that demands constant monitoring and immediate alerting.

    • Trade-off: The main consideration is the cost, which is higher compared to other log types.

  2. Basic Logs: The Cost-Effective Alternative

    • Characteristics: Basic Logs are the budget-friendly option. They are accessible and functional for specific uses but come with limitations.

    • Use Case: Ideal for logs with lower detection value, these are great for initial stages of investigating an incident or for threat hunting purposes.

    • Limitations: Their use in analytic rules, workbooks, and most hunting queries is restricted. Also, they have a maximum retention period of just 8 days.

  3. Archive Logs: The Long-Term Storage Solution

    • Characteristics: Archive Logs are the most economical for long-term storage, capable of storing logs for up to 12 years.

    • Use Case: They are not designed for 'hot storage' but are useful for extended data retention, particularly in scenarios where long-term data availability is essential for compliance or historical analysis.

    • Functional Aspect: While they facilitate "Search Jobs" for threat hunting, these come with their own costs.

The Strategic Combination: Analytic & Basic & Archive

The key to effective log management in Microsoft Sentinel lies in understanding when and how to use each log type:

  • Analytic Logs for high-priority security data requiring immediate action.

  • Basic Logs for less critical data, providing a cost-effective solution for short-term use.

  • Archive Logs to economically extend the life of your data, particularly the Basic Logs, beyond their 8-day limit for broader scope in threat hunting and long-term analysis.

Conclusion

In conclusion, a holistic approach that combines Analytic, Basic, and Archive logs can lead to a more efficient, cost-effective, and comprehensive data management strategy within Microsoft Sentinel. This approach not only enhances your security posture but also aligns with budgetary constraints and operational needs. The art of balancing these log types is crucial in maximizing the potential of Microsoft Sentinel as a powerful SIEM tool.

#MicrosoftSecurity

#MicrosoftLearn

#MicrosoftDefenderXDR

#MicrosoftSentinel

#CyberSecurity

Thanks for reading Marcus Burnap - Microsoft Security - Sentinel - Defender XDR! Subscribe for free to receive new posts and support my work.

1

Share this post

Marcus Burnap - Microsoft Security - Sentinel - Defender XDR
Marcus Burnap - Microsoft Security - Sentinel - Defender XDR
Money Money Money - Understanding Microsoft Sentinel's Log Management
Copy link
Facebook
Email
Notes
More
Share
A guest post by
José Lázaro Pinos
Global Cybersecurity Leader Championing Zero-Trust and Digital Transformation | MVP | MCT | Cybersecurity, AI, SIEM, XDR
Subscribe to José

Discussion about this post

No posts

Ready for more?

© 2024 Marcus Burnap
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More