Are you using Sentinel Correctly?
How many logs is too many logs?
Microsoft Sentinel is the best SIEM tool I have used in my 7+ years in MSSP Security Operation Centers. Either from a SOC analyst perspective investigating the story the logs are telling me or from being a Security Engineer, building and deploying Sentinel SIEMs for Customers. However, the SIEM is not always used the way it should be!
Yes, Sentinel can ingest lots of logs from a wide range of products. However, everything comes at a cost and the main cost with Sentinel is the ingestion of data. When I have asked customers the question; what do you want to ingest into Sentinel? the customer provide a long list of all applications and services they are using believing everything they have should send logs into the SIEM then they are covered if attacked. Of course if we ingested all of these logs the customer would have a very large ingestion bill from Microsoft and may not be securing their critical devices correctly.
The SIEM should not be seen as a tool that will secure a network by just ingesting logs. During the start of any SIEM deployment project I fully recommend utilizing the Threat Modelling process, where possible, in order to identify the risks to your business, how someone may attack your network, what log sources are useful to identifying the attack, and finally if any mitigations can be rolled out already to mitigate or at the very least reduce the risk of compromise.
By identifying the risks there may be features/products that can be used to mitigate the risk of that attack vector.
Example: Customer A has just bought an E5 license for all users and are planning on deploying Sentinel and ingesting AAD signin logs to identify suspicious user logons.
Right away there are ways to reduce this customers risk of adversaries gaining access to users accounts; using MFA, deploying conditional access policies, the use of AAD identity protection/ Defender for Identity to identify risky accounts which can tie back into conditional access policies to ask for the user to re-pass an MFA check, and many more.
For Customer A I would advise they tackle the threat by using features they have already in their license and any use cases that may not be able to mitigate the risk by using conditional access policies for example, then ingesting logs into Sentinel and monitor that risk should be completed.
Not all logs are useful to a Security Analyst, sometimes having too much data can also be a problem when investigating through mounds of information to find the attack that maybe happening. I hope this quick example shows the major benefit to identifying the risks to a business before ingesting any logs into a SIEM and mitigating the risks where possible, your SOC analysts and your finance team will thank you.
Tools and guides to help you complete a threat model have been linked below:
https://www.ncsc.gov.uk/collection/building-a-security-operations-centre/onboarding-systems-and-log-sources/threat-modelling
https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
https://aka.ms/threatmodelingtool