Episode 181 – Deep[er] Dive on Azure Sentinel

- [Ben] Welcome to episode 181 of the Microsoft Cloud IT pro podcast recorded live on June 5, 2020. This is a show about Microsoft 365 and Azure, from the perspective of IT pros and end users where we discuss the topic or recent news and how it relates to you. In this episode, Scott and Ben take a little bit deeper dive into Azure Sentinel and what you can do with it. And here we are, Scott. A Friday, but not just any Friday. This Friday is unique from all other Fridays.

- [Scott] It is, is it?

- [Ben] Every Friday is unique technically, right? Every Friday is not like the other. One of these things is not on, no don't get me started.

- [Scott] No, stop the madness. No, this is your last day, which means we may have to update our intro. We need to talk about that but why might we have to intro, update our intro, Scott?

- [Scott] I am going to go out into the wider world and live one of my adult dreams. I'm gonna become a blue badge.

- [Ben] Look at you.

- [Scott] Look at me.

- [Ben] You are moving up. You are leaving me. No, you're not leaving me. We're gonna still keep doing the podcast, you're just changing jobs, which is exciting. I know I've talked to a bunch and this is something you have been trying for wanting to do for a long time. So it's exciting for me to be excited for you because I do know how excited you have been to do this.

- [Scott] Yeah, I think it will be very interesting. So I'm gonna be living in a little bit of a different life. I am joining the Azure storage product team as a product manager within a Cogs group. So I'll primarily be working with customers around Azure blob storage, which storage is kinda the backbone of, just about everything that you do in the cloud. At the end of the day, if you think about Azure, it's really a bunch of compute. It's a big hypervisor and then stuff that's running in storage, which tends to be blobs, that could be virtual machine disks, could be something you upload for a workload, could be like data lakes all run in blob storage, things like that. So I think it'd be very exciting to be a little bit closer to kinda the core and backend of everything that drives Azure.

- [Ben] Got it, very cool. You are gonna be focused then explicitly on just blob storage because storage has all those other things like you have your blobs and your Azure file shares and all of those that function differently and do different things and you are not Azure storage but you are Azure blob storage.

- [Scott] That's my understanding of it. I'll let you know more as it evolves.

- [Bob] As it develops when you start here in a few more days.

- [Scott] Yes.

- [Bob] So you already, how was starting a new job in this world of quarantine?

- [Scott] It's very interesting. I think like lots of employers, Microsoft isn't probably too unique in trying to figure out how to onboard employees remotely. I remember when I was a virtual TSP, when back when they used to have like purple badges at Microsoft and your badge came with, your picture and all those things, just usually a normal bad but also your clients certificate for CACing into things. And you weren't allowed to just say, "Hi, I'm Scott" and somebody would send you a badge with a CAC and they'd give you your password in plain text over email and you go like, "Ooh, look at me, I'm on the network." There was a little bit more, a little bit more involved with that. You had to go to a Microsoft location and see somebody in person. So there's certainly things like that. I think it's even interesting for hiring practices like in the United States, you have to prove that you're eligible to work in the United States. So you have to provide documentation such as your passport or your driver's license and your social security card. There's this whole combination of documents that you need to provide that you're allowed to work in the country. And I think lots of countries are like that in the same vein but typically those need to be verified in person. So in the US that is certainly a thing, the IRS says, "Hey, you have to verify these documents in person "as an employer." They've waived all those rules for right now and they're letting employers do virtual verification. But even for that, at some point, like they're very explicit and it calls out in hiring documentation that once things open back up again and we can be non-virtual, you're gonna have to show up at an office with this documentation and make sure we know who you are.

- [Ben] Okay, got it, interesting. It's just so bizarre, all of that. I was talking to somebody too, that said banks are struggling with the same thing, not so much from hiring but in terms of opening new accounts and doing the same type of verification.

- [Scott] I would imagine it hits lots and lots and lots of different places.

- [Ben] Yes, but now I don't know. We haven't figured this out yet. We'll have to figure this out because we are recording this on our typical Friday, which means by the time you will, people will hear this or you, the listeners will be hearing this, you will have been a Microsoft employee for four days. So we still need to figure out what kind of intro I need to put at the beginning of this, that these are your opinions and not the opinions of Microsoft and that disclaimery type stuff or if we even need that.

- [Scott] Yeah, we'll get all that stuff sorted.

- [Ben] We'll figure it out.

- [Scott] Yes, fun times.

- [Ben] Do you feel overwhelmed by trying to manage your Office 365 environment? Are you facing unexpected issues that disrupt your company's productivity. Intelligink is here to help, much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running, Intelligink helps you with your Microsoft cloud environment because that's their expertise. Intelligink keeps up with the latest updates in the Microsoft cloud to keep your business running smoothly and ahead of the curve. Whether you are a small organization with just a few users up to an organization of several thousand employees, they want to partner with you to implement and administer your Microsoft cloud technology. Visit them at intelligink.com/podcast. That's I-N-T-E-L-L-I-G-I-N-K.com/podcast, for more information or to schedule a 30-minute call to get started with them today. Remember Intelligink focuses on the Microsoft cloud, so you can focus on your business.

- [Ben] So should we dive into our topic now today?

- [Scott] Yeah, absolutely.

- [Ben] It has nothing to do with what you're gonna be doing, but it has to do with what you are presenting on here shortly.

- [Scott] It does. I think one of the interesting things about my current role is potentially the variety of offerings that come along with them. And so we've been doing, and you've been helping out as a coach in a big bootcamp that Microsoft has been putting on this week. So they had their first virtual partner bootcamp. There was a select group of partners that were invited to this event. I think we had about 1700 attendees signed up, which was pretty good for like an internal, very partner driven event, but all 300 plus level content for four days across a bunch of different tracks, AppDev, Infra, Teams, Versatrack, which is what you're participating in. So in my tracking infrastructure, we've been doing deep dives on arm, including Azure resource manager templates. We've also done as we talked about last week, a bunch of Kubernetes stuff. Like I was talking about some of the heartburn with just Jason and things like that, that was all born out of putting together all this content around Kubernetes. And then my last one, my last session today is on Azure Sentinel.

- [Bob] This is an interesting one. We actually had, we did an episode a while back when Sentinel first came out and then we recently had somebody ask too they're like, "Hey, could you dive a little bit deeper to Sentinel? "You did like an overview, but can we dive deeper?" So you're like, "Hey, Scott just wrote a bunch of "three, 400 level content on Sentinel. "Someone asked about Sentinel. "Maybe we should do a Sentinel episode."

- [Scott] Yeah, it's totally doable.

- [Ben] Yes, so if people, and there may be people that have not heard our intro episode. So should we just start really briefly by what Sentinel is if people have not heard of it or didn't listen to that episode or are just curious, what is Sentinel?

- [Scott[ Sentinel is Microsoft's cloud based SIM. So it's an event collector that allows you to do not just collection, but also analysis of security events and logs that you might store across your environments, all in the cloud. So you're leveraging cloud for not only the storage of your logs, but also for the compute and really for the, I think that beauty of computational machine learning and things like that, to help you understand all of those logs as they're aggregated together. So if you think about most environments that you probably have today, let's say you run in Azure. That means you have an Azure subscription, which means you have an activity log you monitor, it means you have Azure AD. And it also means that you have all these workloads that you run off plate. Even if you turn up a VM, that VM has a windows event log or if you're doing Linux, you might be doing Swisslog, something like that. So there's operational events coming from those you're probably a little bit on prem. So maybe you have some clients or servers on prem that are doing things. Like if I have a windows server, it probably has a firewall turned on and that's generating telemetry and logging. What if I have an on prem device as well, maybe I have a 40-net firewall or a Palo Alto. I have some type of IPS. I have a proxy, something like that. All of these things are typically generating some type of telemetry. And sometimes you're checking the telemetry on device or usually what you're trynna do is aggregate it all together so you can get a better sense of what's going on out there. So for Microsoft to have a product like this, it lets you aggregate across on premises in the cloud, not just Microsoft cloud either, but also things like AWS or GCP, certainly across Microsoft's cloud, Office 365, M365, ATP kinda workloads like that, Dropbox, Box. I think it's a very interesting product when you think about being able to aggregate all your data in one place, and now once your data is in one place, perform meaningful analysis on top of it. So certainly there's, yes, okay, we can get all their logs all in one place. We can figure that out. Great, now, how do you analyze it? How do you figure out what's good data and how do you action that data and make it actionable to make your environment ultimately a more secure place?

- [Scott] 'Cause a lot of these services do have ways you can pull this. So I'm gonna default back to Microsoft 365, where you have the unified audit log in. If you go into Azure AD, you have your Azure AD sign in log, and you have all these different places where this data is being recorded and you can search it, but it isn't necessarily all pulled into that central place where you can see all of it together or let's face it, queries in the unified audit, they're not great, but pulling this into Sentinel, you get a lot more functionality, a lot more powerful queries and like you said, all that data pulled together from your, from all of those different logs pulled into the central repository, the central spot.

- [Bob] We can probably start there with that central repository or that central spot. We spend a lot of time and when you talk about Sentinel, you're gonna hear people talk about a Sentinel workspace quite a lot. So we start out, we usually with workspace considerations. Well, what is a Sentinel workspace? A Sentinel workspace is really a Log Analytics workspace. So anytime I say workspace and I put the word Sentinel in front of it, or I put the phrase, Log Analytics in front of it, I'm talking about the same exact thing. It's a Log Analytics workspace. If it's a Sentinel workspace, that just means we've enabled the Sentinel solution within the Log Analytics workspace. So there's kinda like ad-ons or functionality that we can enable within Log Analytics that give us extra tables within our workspace that we can then query with Cousteau and get things to where they need to be. So if you go into the Azure portal and you just search for the Sentinel service and you go, Sentinel, it'll say maybe you don't have any workspaces. So the very first thing you'll do is you'll hit a button that says "create workspace." And the next step is it's gonna ask you, do you wanna use existing Log Analytics workspace or do you wanna create a new Log Analytics workspace? And hopefully that just kinda drives the flow. So that's really all Sentinel is from a turn it on perspective, is determining where the data lives that you are going to query. Now, being that it's in Log Analytics, that has some interesting considerations for us. Are we single tenant? Are we multi-tenant? What am I looking at from my perspective as a customer? If I'm an MSP who is managing multiple Azure subscriptions, then I'm in a multi-tenant scenario. I'm probably gonna end up with multiple workspaces, maybe one per customer, one per workload per customer, something like that. If I'm a single customer, I'm probably just a single tenant. So it's just my Azure AD tenant, but then maybe I have multiple subscriptions. So do I still need multiple workspaces? Do I have data sovereignty concerns? Where can my log data, my operational data live? And then how many of these things do I wanna have kicking around? Because we pay per gig. Does it make more sense for me to have all my data in one space or does it make sense to have it in multiple spaces based on maybe bandwidth, storage, cost, concerns and some of those other things I talked about with resiliency, data sovereignty, performance, whatever it happens to be within there.

- [Bob] Right, so, how does that work then? In my head, and as I'm thinking through this, it's like, well, Azure Sentinel's part of Log Analytics. So unless Log Analytics has that ability to pull from multiple tenants or multiple subscriptions, you really aren't gonna end up with all those different Azure Sentinel workspaces and I can see where it would be nice to query across them but I also get that concern of, if I'm creating Log Analytics from Sentinel and I'm pulling data from multiple subscriptions or multiple resource groups, or even trying to pull data from different regions into a single Log Analytics, there would also be some valid security concerns, I think there, kinda like you said, some of the data sovereignty security. So, is that what you end up with then as you end up with a whole bunch of different Azure Sentinel things or kin, is there some way to pull them all together?

- [Scott] It really depends on your situation. I think from what I've seen and from what I know of current customers who are consuming Sentinel today, that single tenant scenario works pretty well, which is just one single workspace per tenant. So, that Contoso or fabric ham of the world. It doesn't matter if I have six subscriptions or one subscription, I've just got one big consolidated workspace that I put everything in and pull it together and so that's super nice. Like there's a bunch of pros to that. Certainly one of the biggest, like you said, it's probably a single pane of glass. I get all of my security logs, information consolidated into that single workspace. Authoring queries is not gonna lie way easier in that model. It's also easier for me to control access to the data in that model. So it's not just data sovereignty that we worry about. We do worry about users who have access to that, so who can read that operational data out of there. And, usually that solves with a combination of our back on the Sentinel service itself, so who can get into Sentinel. But then we have to cover our back within Log Analytics as well 'cause that's where our data lives but I think one of the cool things there that people forget about is Log Analytics actually has roles that allow you to control the data plane as well as the management plane. So there's roles in Log Analytics that I can turn on. Reagan say, "Hey, Ben can only read out of this table." So there might be 78 tables in my Log Analytics workspace and you can only read the one that you need to read to be successful and then I can give you just read access to Sentinel as well. And that data flow and that role flow kind of goes all the way through. I think you worry a little bit about there's some cons, there's a bunch of pros, but there's a couple of cons to that model. Cons can be, you're probably going to incur some type of bandwidth costs just as you go potentially cross region. If I am Contoso and I have six subscriptions, I might have one in like East US and one in West US. If I'm pumping all my data from East US to West US and that's egress from the data center. So I do have to account for that. It's minimal but you will incur a cost there.

- [Bob] Got it. So you could technically say, "Ben, you're only allowed to go into Sentinel "and query the Microsoft 365 data "that came from our unified audit log," and it goes into these Office 365 tables and Log Analytics. You're not actually allowed to go look at the data that's coming from maybe Azure AD or coming from all of the VMs or even coming from a certain subscription. So potentially--

- [Scott] It depends on how that data comes in. So as a customer, you're not in control, like you're gonna turn a connector on. You're gonna go into Log Analytics and say, "I would like to ingest my Office 365 audit logs." You're not saying I would like to ingest them into this specific table in this specific schema, that's all set by the connector and by the solution that you're enabling. So it might be hit or miss what you can get there. I would say 100%, if you truly have a need where you're like, we need Office 365 data that's only queryable by folks in our Office 365 operations team. That's a design decision that drives you into having a unique Sentinel workspace just for Office 365 data. But maybe what you do is you connect multiple Sentinel instances to that same Office 365 tenant. So you're gonna get the data for the one Sentinel workspace just for your office 365 admins and you're gonna get it into your big central workspace as well for Sec Ops or whoever needs it.

- [Ben] So you can do, let me make sure I got that straight then. You can do multiple instances of Sentinel all tied to the same Log Analytics workspace. Is that what you just said?

- [Scott] No. I'm saying you can have multiple Sentinel instances that query the same source system.

- [Ben] Okay, got it.

- [Scott] There's lots of ways that data gets into Sentinel. So if I think about having a Sentinel workspace, when you're connecting Sentinel to some cloud systems through like a cloud connector for Office 365 or AWS or ATP or something like that, Sentinel works under a pull model where Sentinel is reaching out and it's pulling the source system to go ahead and get that data in. So I'm not dependent on Office 365 saying it has only one connector back to Sentinel to push data to Sentinel. Sentinel's the one that's doing the work to retrieve the data for me. So in that case, I can have two Sentinel workspaces that both pull data from the same Office 365 tenant. That's not a big deal.

- [Ben] Does this go into two separate Log Analytics workspaces that as well? Log Analytics isn't doing the work on the backend and Sentinel's just the query, Sentinel's still doing the work of going and grabbing the data, crackling it out and then shoving it into a Log Analytics workspace on the backend.

- [Scott] Correct, yeah. They are fundamentally like, I get very confused when I talk about them. 'Cause like I said, we say the word workspace a lot, but it ultimately, like data storage is Log Analytics. Log Analytics is the query engine. You're gonna go into Log Analytics to query things but Sentinel is providing a layer of kinda compute on top of that, where you're getting access to some of that machine learning, some of these pull mechanisms to go ahead and grab data from source systems and get it into Log Analytics so that Sentinel can then action.

- [Ben] Got it, okay. As IT professionals in the cloud era, sometimes that feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or teams that Azure costs, they don't always realize how much work is involved in obtaining that information, sifting through cluttered CSVs and a complex massive metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's byproduct, business unit, team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com/itpro. Now I have it all straight in my head more or less until you say something else.

- [Scott] It's a very straightforward product. How could you not? I think that's really the gist of it. Usually honestly, if you decide that there's a value in the things that Sentinel provides, maybe like automated incident management, automated alerting, some of that machine learning through fusion and some of the ML models that are available and some of the enhancements that are gonna come there with like bring your own ML really at that point, all you have to decide on is data storage and how things are gonna live and what's gonna happen for you there. So once you start to get into that multiple workspace thing, then life starts to become a little bit more interesting because in Log Analytics, there is the capability to query across multiple workspaces, even multiple workspaces across multiple tenants. But you've gotta do a lot more work to put your queries together and to drive that data to where it needs to be. And it's a lot harder to configure some of that are back 'cause you're probably using Lighthouse and some other methodologies there to get you where you need to be for delegated access to other tenants and things like that.

- [Ben] Okay, and I was gonna ask about that. So as an MSP, 'cause I have some of your slides in front of me too. And I found that slide that had multi-tenants and it references Lighthouse on there and pulling data from multiple tenants into a single tenant. So if you're an MSP or you're wanting to consolidate, maybe you're even a company that has multiple tenants for different product groups or different departments, and you wanna pull all of this together. It is possible to pull all of the data from multiple tenants. And when we say multiple tenants, this is essentially multiple Azure AD tenants that could have one or more subscriptions underneath all of that. You can use Azure Lighthouse to pull all of that into like a single master tenant?

- [Scott] Not into a single master tenant. What Lighthouse is giving you, it's giving you delegated access to all of those other, 'cause Sentinel and Log Analytics are Azure resources so it's gonna give you delegated access to all of those other Sentinel instances, Sentinel workspaces and underlying Log Analytics workspace. So you're gonna get the, you get almost the same single pane of glass once you've written the queries and kinda put things together, that's on you to go ahead and kinda figure out what that looks like. But, out of the box, there's no such thing as a single pane of glass for you there. That's probably the biggest downside but I think there's a bunch of upsides to managing multiple workspaces, especially when you're in a multi-tenant scenario. One of the biggest ones is going to be cost and having all the kinda tweaks. You have all those knobs and levers that you can pull to make sure that your workspace is set up the way exactly the way it needs to be. If I'm an MSP and I'm managing workspaces for multiple customers, that means that, I don't have to worry about data leakage from one customer to another customer in the same Log Analytics workspace. It also makes the way I do costing back to my customer much easier, like say I'm a CSP and I'm providing your subscriptions as well. Now it's very easy 'cause you've got a Log Analytics workspace, you consume two gigs, this other customer consumed three, this other one consumed half a gig and I can actually charge them the right amount of money for the services I provide.

- [Ben] Got it. So then when you're going for that single pane of glass, rather than having it all pulled together and writing a query to query a single data source by using delegated access, you're writing a query and that query goes out and is able to query all the different tenants at the same time but it's all based on how you write that query in the assumption that you have delegated access to go run that query against all the different instances.

- [Scott] Yes, there's some limitations there. One of them being that if I have lots of customers like a large CSP or large MSP, and I've got hundreds of customers, if not thousands, and I'm running them up that way. When you have a Log Analytics query, you can't query more than 100 workspaces at a time. So there might be some downsides there depending on how you try and build dashboards and things like that.

- [Ben] Got it, so you'd have to build multiple ones for different segments of customers based on some vertical or somehow slice and dice this up.

- [Scott] Could be, you have to figure some of that stuff out. It's all to say that it can be done. It really depends on how you wanna do it and what you want that to look like. Another option for you is put all of your, like do the per workspace per tenant thing. So, I've got 80 customers and I've got 80 tenants so I end up with 80 workspaces. If you do wanna consolidated workspace, because we're driving off Log Analytics here, you can use things like just your straight diag settings and your sources, like if it's an Azure resource, it likely has diagnostic settings. Most of those can drive directly to event hubs, which can then call logic apps, which you can then dump that data into Log Analytics anywhere. It's all just a rest connection at that point. It's just a restful call through the APIs. You will end up with all your logs in a custom log source so your table's gonna be suffixed with _cl on it. And that means again, you gotta do a bunch of query updates to support that and get it to where it needs to be.

- [Ben] Interesting.

- [Scott] But it's doable. It's just how much, what's the machination that you wanna put on top of it? And what's the requirement? 'Cause if I think about being a partner that's going out and offering services to customers. If I'm offering a security service to them where I'm doing Sentinel monitoring for them, how would I have done that in the past? I probably like if they were on prem, I would have charged them for a device per customer, a device per site, whatever it was and I would have sent them that device and had to go in. So if you think about Sentinel a little bit as a device model like that, it does make sense to have a workspace per customer and then provide that service on top of it and then figure out what you need to do as the quote, unquote, "manager" or "operator" of all this to actually provide your service on top of it. Don't put that burden on top of your customers. That's yours to figure out. What's your IP and what's your value add and what are you actually charging them for?

- [Ben] Yup, exactly. Okay, so what else should we know? I'd imagine, I think cost has changed maybe a little bit too since we first talked about this. And there's different components we've talked about. Is there anything else from that technical standpoint? Do you wanna talk about cost for a little bit? Do you like talking about cost or do you wanna avoid cost?

- [Scott] So Sentinel pricing, Sentinel's out, it's GA, it's up there. So what you're doing is with Sentinel, you're paying for ultimately two things. You're paying for the storage and Log Analytics, which is a cost per gigabyte that you're just gonna go ahead and run up there. So you might wanna look up your Azure monitor, Log Analytics pricing, figure out what you feel like you're gonna be in there. Do you want to do capacity reservations for storage or things like that on top of it? Now, Sentinel's providing a value add on top of Log Analytics, 'cause it's doing this analysis, it's putting incidents and alerts together. It's letting you run automated playbooks, all sorts of things like that. There's some extra stuff going on. So that works in a couple different ways as well. You've got capacity reservations that you can do there. So for example, just looking up some pricing in East US. If I'm ingesting 100 gigs of data per day into my Sentinel connected workspace, I can go ahead and get that down to a cost of $100 per day. Now, 100 gigs per day is a lot of data.

- [Ben] When you're talking, 'cause this is like text-based log files, 100 gigs of text-based log files is a lot of logs.

- [Scott] Right, just to give you a sense, like that's typically where that capacity reservation stuff starts is when you're in the hundreds of gigs per day model. If you're less than that, you might just be in a PayGo model. So under a PayGo, it's $2 per gigabyte and just it. There's the cost per gigabyte in Log Analytics and then you're paying an additional $2 per gigabyte ingested for that same Log Analytics workspace where Sentinel has been enabled on top of it. So the next question that usually gets asked is, "Well, how do I figure that out? "Where's the magical pricing calculator "that's gonna tell me when I hook up my Azure AD "and my Office 365 tenant and my AWS storage accounts, "how much data I'm gonna send in." That's harder. I can't tell you that because that really is a, it really does depend. That depends on if you're analyzing AWS and only analyzing S3 storage buckets, how much data is driven through your storage buckets versus mine? I can't tell you that. That's some data that you need to bring. So if you have an existing SIM solution today, you might be able to say like, "I ingest this much data in," and get a sense for it there. Or you could come from, maybe even looking at those on prem systems. I've got 50 Linux servers and they're all running SIS log and if I take the average storage of SIS log logs across all these servers, it equals this much. It's gonna be about the same amount over in Log Analytics. As you said, it's plain text. So that piece doesn't change and storage is kinda storage there.

- [Ben] Right, takes up so many bits and bytes, no matter where it is.

- [Scott] I think the thing that you need to keep in mind is your data is in Log Analytics. So some of us are used to maybe having systems, like if it's just a plain text log, what do you do when your texts logs get too old or you have too many of them? You're like, "Oh, my web server ran out of space. "Cause it was logging too much." You log out of the web server and you delete the old blogs that you don't need. And boom, magically space is restored. There's immutability inside Log Analytics. So there's no out of the box in a default configuration. There's no model to purge data out of Log Analytics other than the retention settings for your workspace. So you can have retention up to two years in a Log Analytics workspace. Let's say you set your retention to 365 days. That means as soon as the record is 366 days old, it ages out and gets deleted automatically. But there's no query that you can write in Contoso outside of a select query. There's no such thing as an update or a delete or anything like that. Once the data lands, the data lands. There is a special role within Azure called data purger. You very explicitly need to go and turn that on and add people to that role. People in the data purger role can technically delete data out of Log Analytics but it's kind of like just a one off very specialized thing. When you think about managing data usage, you're just gonna manage all that through your retention settings on your workspace.

- [Ben] Got it. Outlook add-ins are a great way to improve productivity and save time in the workplace, and Sperry software has all the add-ins you'll ever need. The Save as PDF add-in is a best seller and is great for project backups, legal discovery and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install and Sperry software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com, S-P-E-R-R-Y-S-O-F-T-W-A-R-E.com and see for yourself how great Save as PDF is. Listeners can get 20% off their order today by entering the code, cloudIT. That's cloudIT, C-L-O-U-D IT, all one word at checkout. Sperry software, work in email, not on email. There's some advantages to that too, for certain services and different pricing. If you go down on the Azure Sentinel pricing page and look under the FAQs, there is what data can be ingested at no cost with Azure Sentinel in which case you're still paying for the Log Analytics storage but you're not paying that $2 per gigabyte or something for the ingestion.

- [Scott] Correct. So now you make it even fuzzier 'cause you're gonna pay on one side but not on the other side.

- [Ben] Yes, but it does help. Again, I'm coming from the Microsoft 365 side, like your office 365 audit logs that, in Office 365, they're only stored for 90 days or 365 days based on your licensing. If you do go turn this on, you can ingest it all into Sentinel for free. You're still gonna pay for the storage in Log Analytics. But now, because that data doesn't get deleted, you do have that ability to retain some of that for longer.

- [Scott] Correct.

- [Ben] As in Sentinel within Log Analytics, but just be careful 'cause they do have a big bold, please note like Azure activity logs, Office 365 audit logs, ATP, cloud app security, all of that's ingested for free but then Azure active directory audit data is not free. Like that's, you would think would fall into that same bucket, but for whatever reason, Azure AD is not free, even though although the other ones are.

- [Scott] It's all what they've worked out with those teams. I think the other thing you need to watch out for is for some of these, like you consider Azure active directory to query Azure active directory sign-in logs. You need to have P-one or P-two licensing in place, and that's external to Sentinel. Now you get into that whole weird world of, well, is it, do I need to have one P-one or one P-two or do I need to have one for every user that I'm technically querying from the sign in and log in that comes in. So it gets very fuzzy in there how some of that stuff works.

- [Ben] Yeah, but it is. It's a great solution. I have it turned on, I play with it. I've done some sessions just purely from the Office 365 side, that if you have office 365, M365, this is definitely something from that side you should check out. And like we said, when it comes to all of your cloud services, there's a lot you can do with this.

- [Scott] Oh, tons and tons. So let's real quick run through what you can do with it 'cause we spent a bunch of time on kinda like data storage and how you get your data in. That is an important consideration but there's also the stuff that happens on the other side. So once your data is in there, then you're into this whole analytics engine. So Sentinel has a bunch of built in alert rules or you can customize your own alert rules. So think about an alert rule as, I write a query and my query brings back my tabular data and based on the number of rows that are returned, so I'm gonna have some type of count where I query. Show me the number of blocked attempts through my firewall in the last five hours. And if I have more than 100 of those, go ahead and automatically generate an alert for me. Turn that on and get it to where it needs to be. So you can write your own custom alerts like that, or you can use built-in analytic rules so there's 39 connectors. There's a new one that's about to be turned on like connectors or Office 365, CEF data, Taxi data, Windows firewall, SIS log, things like that. So there's a bunch of built in alert rules for all that kind of data as well. And it's not just to figure out raw counts or things like that. Some of the alert rules are based around anomalous activity. So because Sentinel's constantly monitoring things 'cause you have this operational data pumping in all the time. You can do things like say, "Hey, Sentinel go out and figure out "what my average intake from my firewall logs "is for blocked attempts. "And rather than me manually writing that query, "you just go figure it out for me "and if you see a spike, then alert me." That's kinda cool to be able to turn that on and not have to worry about what that is. So what Sentinel do is it'll generate the alert and then it groups multiple alerts together into incidents and then you can go and manage those incidents within Sentinel. So I can go in and I can say like, "Okay, so this alert fired for blocked firewall stuff. "I better go look at that incident." And as I'm looking at that incident, I drill down a little bit further and I find out that the IP that we were blocking on the firewall, wasn't being blocked over on this other storage account that we had stood up in my Azure subscription 'cause I'm seeing operational telemetry come through from that. So I can kinda bookmark that and I can correlate those two events together and then potentially go do some hunting in a nice graphical interface or I can query through Kusto or if you know Jupyter at all, I guess you're familiar with Jupyter notebooks and Python. You can run Notebooks inside of Azure Notebooks. So it's all just Python 36 Notebooks. You can run those notebooks against the data in your Log Analytics workspace and do visualizations and hunting over there as well. And Microsoft has a whole big body of sample notebooks and things that can get you started pretty easily there. So you go ahead, you do all these analytics. So that's certainly nice. The other cool thing that you can do is you can do visualizations against your data. So I wanna know the volume of data that's coming in. I want to combine graphs and charts from multiple data sources. You can do all that with Azure workbooks or you can also query that data from Power BI. So say you wanted to share it with external users or things like that, that's all nice and easy and built-in as well.

- [Ben] Wow, very cool. I haven't played with that side of it. I've done the queries to just look at some of the data, play with writing some queries and looking at things like exchange logins or Azure AD logins and things like that. But yeah, I have not gotten into the whole visualizations and building all of that out and trying to pull it into Power BI and all that.

- [Scott] It depends on who you are and kinda where you sit in the world, where, is the value for you in alerting, is it in visualizations? I think those kinda target different segments. Really, I would say most folks, you would start with your data ingestion, you get your workspace up and running, you do all that, you're kinda good to go there. The next thing that you're going to do is start firing up and configuring some of those alert rules and getting some of that analytics up and running. And then I would maybe try and take a look before even I looked at visualizations like there's a bunch out of the box ones, certainly look at those. But before you go and look at creating custom visualizations, start to look at what you can do to go beyond alerts and automate incident response within there. So you can do that with Playbooks and Playbooks all run in our friend Azure Logic Apps. Everybody loves Logic Apps and pretty easy to get those up and going.

- [Ben] Yup, they even have the little Logic Apps icon buy them in Azure Sentinel.

- [Scott] They do. So that's another consideration too, if you're thinking about like security and things like that. Who do you want to be managing logic apps? It's another out of the back consideration for you.

- [Ben] Yep and they do have, the nice thing is, is when you spin up Sentinel, like you said, they had a lot of samples and pre-created queries and some of that stuff out there. So it does, you're not just starting from scratch and having to figure all this out. You can go dig through a lot of the samples that get created when you spin up Azure Sentinel to help you figure out what's going on and how to write some of these queries.

- [Scott] Yes, absolutely, kinda sky's the limit there. There's tons and tons and tons of examples out there.

- [Ben] All right, very cool. Well, I think that wraps us up. We went a little longer again today, Scott.

- [Scott] We're developing a habit.

- [Ben] Nobody's commuting anymore, so we don't have to fit this into a 30-minute commute.

- [Scott] It happens.

- [Ben] All right, well, good luck on your first day at Microsoft, we will catch up with you next week after your a week into the job and you know, everything there is possibly there to know about blob storage.

- [Scott] Oh my goodness. So I've kinda fried my brain with Azure and Sentinel these past three, four weeks here. So it's gonna be interesting.

- [Ben] We are gonna have to change our show from the MS Cloud IT Pro Podcast to the Microsoft Blob Storage Podcast.

- [Scott] I'm hoping it doesn't get there, but it might. You never know.

- [Ben] I will keep you in other areas, Scott. I will drag you out of blob storage land to talk about other things here and there too.

- [Scott] Excellent. Well, all right.

- [Ben] All right, well, enjoy your weekend, Scott. Good talking to you again and we'll talk to you next week.

- [Scott] All right, thanks bud.

- [Ben] If you enjoyed the podcast, go leave us a five-star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.