Basic Knowledges about Azure Sentinel (Price, Log, Connectors, T.I., Analytics Rules, KQL) - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, March 18, 2024

Basic Knowledges about Azure Sentinel (Price, Log, Connectors, T.I., Analytics Rules, KQL)

This post is to summarzie the basic knowledge you can start to use Azure Sentinel as fast as possible. 


Sentinel Architecture


Sentinel Workspace, Price and Roles

Create Microsoft Sentinel (Log Analytics) Workspace 

Microsoft Sentinel pricing
TierMicrosoft Sentinel PriceEffective Per GB Price1Savings Over Pay-As-You-Go
Pay-As-You-Go$6.95 per GB-ingested$6.95 per GB-ingestedN/A
100 GB per day$456.74 per day$4.57 per GB34%

Roles and permissions in Microsoft Sentinel  (
The role is assgined at subscription level, not at Entra ID group. 

Log Retention

Log Analytics Workspace

Settings - Tables - Default retention period is 90 days. 

To modify those configuraiton, go to Azure Portal - Log Analytics Workspace - <Your Workspace> - Tables - Right click table - Manage table



Content Hub & Data Connectors

You can search Training to get Microsoft Sentinel Training Lab to install it in your lab environment. 
  • Azure Activity
  • Network Session Essential
  • Azure Active Directory

  • Common Event Format

  • WIndows Security Events

Microsoft Sysmon For Linux

Common Event Format (CEF) via AMA (Azure Monitor Agent)

Microsoft Sentinel Training Lab Solution

This solution ingests pre-recorded data into your Microsoft Sentinel workspace and enables several artifacts to simulate scenarios that showcase various Microsoft Sentinel features. The size of the ingested data is around ~20 MBs, so you will see no cost related to ingestion. Pre-recorded data will land in the following custom log tables: SecurityEvent_CL, SigninLogs_CL, OfficeActivity_CL, AzureActivity_CL, Cisco_Umbrella_dns_CL.

Training guide:

Threat Intelligence

Install Threat Intelligence from Content Hub
Open Connector Page from Connector - Threat Intelligence - TAXII
Get free threat intelligence service from

api root:

api collection id: test id
username : taxii2
password : your own api key

Threat Intelligence - TAXII :


Analytics Rules



Issuse for Built-in Rule - SonicWall - Allowed SSH, Telnet, and RDP Connections

It shows "ASimNetworkSessionSonicWallFirewall(): function expects 0 argument(s)."

Solution: Remove false from the script since 0 argument expects. It will be:

The error should go away after removed false argement.

KQL - Kusto Query Language


You can practice Kusto Query Language statements - including the ones in this article - in a Log Analytics demo environment in the Azure portal. There is no charge to use this practice environment, but you do need an Azure account to access it.

No comments:

Post a Comment