Azure Sentinel + LightHouse minimize costs

Marco Pereira 1 Reputation point
2022-05-04T14:33:41.833+00:00

Hello,
Currently I am using Lighthouse to integrate Tenant A with Tenant B. Tenant A has a log analytics workspace and a Microsoft Sentinel, and is being used has a central SIEM for all log sources. We have used Lighthouse to have access to the Tenant B log analytics where they are configuring logs to be sent to. In order to create rules in our Microsoft Sentinel (Tenant A) over these logs located at Tenant B log analytics we also needed to create a Microsoft Sentinel in top of this log analytics.
Our problem is the costs that this architecture is incurring on Tenant B, so I would like to ask if anyone has any other option to have access to logs on a different Tenant while keeping costs lower as possible?

The Tenant B log analytics is located at West Europe.
While Tenant A log analytics and Sentinel are located in France Central.

Regards,

Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
66 questions
Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
2,028 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-05-04T14:50:46.643+00:00

    If I understand you correctly, you have two tenants. Both have Sentinel but one (Tenant A) is the primary.

    Sentinel is billed based on data ingestion. Accessing the logs in another tenant should not incur an additional cost. Can you clarify more about the costs you are wanting to reduce?

    Generally speaking, cost optimization involves reviewing the data being ingested to make a more informed decision about what data to collect or exclude. Use workbooks and queries to identify the most expensive data sources and largest contributors to those sources. Verify that the data has forensic value or is required for regulatory reasons. Work to filter away low-value, high-volume data at the source or through the data collection mechanism. You can also save by combining Defender for Cloud workspaces with Sentinel (due to the 500MB daily included per VM).

    In practical terms this means filtering Syslog and Windows security events. You may also discover that operational issues can lead to higher than expected volume. For example, a faulty application or configuration leading to higher than expected log volume.

    0 comments
  2. Marco Pereira 1 Reputation point
    2022-05-04T15:08:03.043+00:00

    We want to monitor some resources located in the Tenant B, like for example SQL Server, frontdoor, frontdoor waf, etc. They have a log analytics where their logs are being forwarded and we are creating alerts from our Microsoft Sentinel located in Tenant A (France Central) from data on Tenant B log analytics (West Europe), but it seems that it is incurring some huge costs, probably because of huge log volumes coming from those resources. What I am trying to find is a way to reduce the costs or delegating these costs to the Tenant A.

    Currently we have the lighthouse giving us access to a resource group. Do you think that , changing that to a subscription level and configure those resources (via diagnostic settings or auditing) on that subscription directly to log analytics workspace located in Tenant A would help reduce costs? With this the log retention and monitoring costs would be billed on Tenant A and not Tenant B, Tenant B would only be billed on egress, i assume.

    Thanks for your reply

    0 comments
  3. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-05-04T15:48:36.743+00:00

    So you are using external queries in Tenant A to monitor logs in Tenant B?

    The data will be billed against the workspace where the data is collected. Lighthouse only grants access. How you access or query the data will not reduce cost. Redirecting the data to Tenant A would not necessarily reduce costs either.

    First, some data must be collected in the local tenant. Examples would be things like the Azure Activity log and resource diagnostics. Your AAD logs as well. For this reason you need at least one security data workspace (preferably a Sentinel instance) in each tenant.

    There are many data sources and connectors that can be directed to Tenant A directly. Agent-based monitoring for VMs, and external API-based connectors, and your on-premise connectors like Syslog for example. The potential savings of consolidation (where possible) is this can help you reach the Commitment tier discount. If you have Defender for Cloud, make sure to use the Sentinel workspace to reduce costs. Avoid retention over 6 months in the log analytics hot tier (consider a more cost effective archival option if needed).

    The best thing you can do to reduce cost is to use the usage and cost workbooks to identify the biggest sources. Then evaluate each for ways to reduce the volume. Certain sources might be dropped or excluded if determined to be too expensive. Local issues at the source can be identified and resolved. Filters can be added. There is a new ingestion-time filtering option to consider. Its all about identifying and reducing unwanted to overly expensive data collection.

    0 comments