Cyb3rWard0g
commented
2 years ago Hello @Dabuek
I believe one of the expensive services is the Azure Bastion Host. For security purposes and to integrate it with access to your portal and resource group, it is a good service to use. However, it can be expensive in the long run. Therefore, the template also has the option to simply use NSG rules to allow RDP only from a specific public IP address. Set the following parameter to AllowPublicIP.
https://github.com/Azure/SimuLand/blob/main/2_deploy/aadHybridIdentityADFS/azuredeploy.json#L112
Also, make sure you set the specific Public IP address (i.e. Your home or organization) in this parameter (it is set to * by default):
https://github.com/Azure/SimuLand/blob/main/2_deploy/aadHybridIdentityADFS/azuredeploy.json#L123
That should help a lot! Also, from a MS Sentinel perspective, you can adjust the XPath queries used to collect data from Windows Security events and other Win providers (i.e. Sysmon). You can adjust the queries before deployment via the template parameters:
- Windows Security Auditing provider:
- Other Windows Event Providers (i.e. Sysmon is very noisy)
or via Microsoft Sentinel data connectors UI:
Also since this is a lab environment, I would set a policy to shutdown at least the domain-joined workstations.
I hope this helps!
Hi,
I was wondering whether there is any optimum way to deploy this solution? Right now my predicted costs on this subscription seem to be sky rocketing.
Cheers