How to maximise your Defender for Server Plan 2 investment with Microsoft Sentinel

If you’re running Defender for Server Plan 2 and Microsoft Sentinel, did you know that you can ingest 500Mb of data per endpoint, per day, into your Sentinel instance at no additional cost?

 

This allows you to collect a subset of additional security data types for extra analysis, to assist with any potential investigations.

 

The specific security data types included are:

 

During a recent engagement, I needed to collect Common Security Events from all Windows Servers, including servers located within Azure Cloud and Azure Connected Machines via Arc.

You can choose to collect less events by selecting Minimal or a Custom Set of events but collecting all Common security events ensures a full user audit trail is captured into Sentinel for each connected endpoint.

How to collect the SecurityEvent data type?

Sentinel has a connector specifically for this purpose called Windows Security Events via AMA connector.

After enabling this connector, you are able to set up a Data Collection Rule (DCR) which facilitates the collection of the security events via the Azure Monitor Agent (AMA) into your Sentinel enabled Log Analytics workspace.

You can configure the applicable DCR rules within the connector itself by selecting “Create Data collection rule” and configuring your desired options:
You will need to name the rule according and select a resource group for the rule to reside in:
You then need to specify the resources to collect data from:

Then select the events you wish to collect, such as Common:

Once the initial DCR rule(s) are created within the Sentinel Connector configuration, you can then leverage Azure Policy to ensure any new machines created within your environment are automatically onboarded to the applicable DCR rules ongoing.

The two inbuilt definitions within Azure Policy to leverage for this purpose are:
 

1. Virtual Machines located within Azure:

2. Virtual Machines connected via Arc:

How can I see my free data benefit is being applied?

Something I found not so easy to see once you enable the collection of Security Events into Sentinel is how much of the free data benefit is being leveraged.

To help query your Sentinel enabled Log Analytics workspace, you can use the below queries to see how much of the benefit amount is being used:
				
					Operation
| where TimeGenerated >= ago(31d)
| where Detail startswith "Benefit amount used"
| parse Detail with "Benefit amount used: " BenefitUsedGB " GB"
| extend BenefitUsedGB = toreal(BenefitUsedGB)
| parse OperationKey with "Benefit type used: " BenefitType 
| project BillingDay=TimeGenerated, BenefitType, BenefitUsedGB
| sort by BillingDay asc, BenefitType asc
| render columnchart
				
			
This will generate a chart that allows you to visually see how much your free data benefit is consuming within your workspace. Keep in mind that Microsoft calculates the benefit across all machines running Defender for Server Plan 2.
 
e.g. if you have 100 connected machines, that equates to 500Mb x 100 machines = 50,000Mb per day of free data ingestion.
 
This allowance is a daily rate that’s averaged across all machines. The total daily free limit is equal to [number of machines] × 500Mb. You aren’t charged extra if the total doesn’t exceed your total daily free limit, even if some machines send 100Mb and others send 800Mb.
If you would like to summarise the ingestion volume, another query you can run against your workspace is:
				
					Operation
| where TimeGenerated >= ago(31d)
| where Detail startswith "Benefit amount used"
| parse Detail with "Benefit amount used: " BenefitUsedGB " GB"
| extend BenefitUsedGB = toreal(BenefitUsedGB)
| parse OperationKey with "Benefit type used: " BenefitType 
| project BillingDay=TimeGenerated, BenefitType, BenefitUsedGB
| sort by BillingDay asc, BenefitType asc
| summarize sum(BenefitUsedGB) by BenefitType
				
			

Conclusion

In summary, leveraging the free data ingestion benefit provided by Defender for Server Plan 2 can significantly enhance your organisation’s security monitoring capabilities. By configuring Sentinel with the appropriate Connectors, Data Collection Rules, and Azure Policies, you can ensure comprehensive coverage and efficient use of your resources. The included queries offer a straightforward way to monitor and maximise your data ingestion benefits, helping you stay informed and in control of your security landscape.

Read more recent blogs

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.