Microsoft Sentinel and Blackpoint Cloud Protection are two leading solutions designed to safeguard Microsoft 365 environments from cyber threats, but they offer vastly different approaches. Blackpoint Cloud Protection is a closed system, designed with minimal flexibility—offering a straightforward set of preconfigured monitoring and detection capabilities. This makes it a more controlled environment but leaves little room for customization or adapting it to specific organizational needs.
On the other hand, Microsoft Sentinel is an open platform that allows admins to fully customize their security monitoring by leveraging KQL. There are many templates available, but analytic rules can be hand-built, offering greater control over threat detection, incident response, and data analysis. There are over a dozen of connectors available that can import data from various sources, such as M365, Azure, Intune, Firewalls, Routers, but also LOB Apps.
What is KQL?
In Microsoft Sentinel, Kusto Query Language (KQL) is the powerful, flexible language used to write custom queries for log data analysis. With KQL, security analysts can sift through vast amounts of cloud data, creating precise and complex rules that detect specific patterns or anomalies. This flexibility allows Sentinel admins to create tailored detections based on unique security requirements, giving it a significant advantage over fixed, pre-built solutions.
KQL queries are simple to create, this is an example of an analytics rule to detect MFA rejections:
SigninLogs | where ResultType == 500121 | extend additionalDetails_ = tostring(Status.additionalDetails) | where additionalDetails_ =~ "MFA denied; user declined the authentication"
Security Orchestration and Response
Blackpoint operates as a closed system, providing incident alerts primarily via email and potentially mitigating threats, though we were unable to find specific details on its security orchestration capabilities. In contrast, Microsoft Sentinel does not include built-in security orchestration; however, its automation functionality allows users to leverage Azure Logic Apps to implement automation during incidents and alerts effectively.
Each customer’s tenant can be setup with a Microsoft Sentinel workspace and an Azure Logic App, enabling the transmission of incident data in JSON format to a central automation platform (in MSP tenant). This platform can centrally analyze the data, and determine if a threat requires mitigation, such as isolating a device or user.
Costs
When comparing the costs of Microsoft Sentinel and Blackpoint Cloud Protection, it’s important to consider several factors, including pricing models, scalability, and the specific features included.
Microsoft Sentinel typically operates on a pay-as-you-go model based on the volume of data ingested and stored. This means costs can vary significantly depending on the size of the organization, the amount of log data processed, and any additional features or services utilized, such as advanced analytics or integrations with other Azure services. Sentinel’s pricing structure allows for scalability, which can be beneficial for organizations that expect to grow or have fluctuating security needs. Average costs for users is +- $1 to $2 per user per month.
Blackpoint Cloud Protection, on the other hand, often uses a subscription-based pricing model, which includes a flat fee based on the number of users. This can provide a more predictable cost structure, but it may also come with limitations on flexibility and customization compared to Sentinel.
Sentinel VS Blackpoint Comparision
We conducted a comparison of the functions for M365 analytics between Blackpoint and our setup with Microsoft Sentinel. While both solutions have their strengths, Microsoft Sentinel stands out as the more advanced option, offering greater customization and flexibility. However, it requires a certain level of expertise to fully leverage its capabilities. In contrast, Blackpoint provides a more straightforward approach, which may be easier to manage for organizations with limited resources or expertise in security analytics.
Feature | Blackpoint | Microsoft Sentinel |
Response to suspicious activity | Always responds to suspicious activity | Various severity filters for responses (High, Medium, Low) |
Consented to Unverified App | Notifies when an admin consents to an unverified app | Alerts for unusual app consent (e.g., similar to attack toolkits) |
Impossible Travel Detection | Alerts when a user logs in from geographically distant locations within an impossible travel time | Detection of suspicious logins using Azure AD Identity Protection |
Login from New Device/IP | Alerts when a new device or IP is used for login | Sentinel monitors new device and IP activities |
Login from Unapproved Country | Notifies based on login from unapproved countries | No explicit rule for this scenario, but geographic anomalies can be tracked and blocked leveraging Conditional Access rules |
MFA Device Added | Email notification sent for new MFA devices | Sentinel provides MFA-related alerts (e.g., MFA rejections by users, new MFA devices, etc) |
Role Management | Alerts for role assignment and removal | Sentinel provides in-depth monitoring of role assignment, including role escalation outside of PIM (Privileged Identity Management) |
User Account Management | Notifications for user creation, deletion, and lockout | Tracks user account creations and deletions over short timeframes, equal alerts can be created |
Mailbox Monitoring | Alerts for mailbox access and rule changes (e.g., forwarding rules) | Tracks suspicious mailbox rule changes, forwarding rules, and grants of mailbox access |
Anonymous Share Link | Sends alerts for anonymous SharePoint file sharing | SharePoint site creation and deletion are monitored along with file-sharing activities |
Monitors exclusive to Microsoft Sentinel:
Additional Sentinel Monitors | Microsoft Sentinel |
Bulk Changes to Privileged Account Permissions | Detects bulk changes to privileged accounts, indicating potential insider or external threats |
Admin Promotion via App Role Assignment | Detects app role assignment used to elevate an account to admin roles |
Cross-tenant Access Settings Organization Added | Detects new organizations added in cross-tenant access settings trough GDAP and DAP, potentially indicating a security breach |
Microsoft Partner Customer Access Group Changes | Monitors for changes to security groups that provide access to customer tenants. |
Intune Non-Compliance Device | Alerts as soon as devices are non-complaint |
Modified domain federation trust settings | Alerts for changes to M365 registered domains |
User MFA Rejection | Sentinel alerts for users that reject MFA authentications, possibly indicating a compromised password |
External guest invitation followed by Azure AD PowerShell signin | Can indicate an external user recon of the tenant, possibly scanning for privileged accounts, lateral movement paths |
Malformed user agent | Can indicate a compromised user by MITM attacks with frameworks such as EvilGinx |
Microsoft Defender Threat Intelligence Analytics | Match M365 activity (not sign in logs), to IP addresses known in Defender Threat Intelligence Analytics. Indicating possible session hijacking. |
SharePointFileOperation via devices with previously unseen user agents | Can indicate crypto ware activity |
Certificates and secrets management | New secrets and certificates for existing applications can be used to compromise existing applications and their privileges |
Office policy tampering | Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or DLP policy. |
A Holistic Security Approach
it’s essential to remember to not rely too heavily on any single solution. By combining Sentinel or Blackpoint with Intune and other security measures, we establish a comprehensive, resilient defense that effectively responds to emerging threats.
Read more about our Microsoft 365 security recommendations in this blog Microsoft 365 Security / Necessities / Checklist – Prof-IT Services
Stay safe, stay secure!
No responses yet