• Kql Detective Part 3

    Posted on May 23, 2023

    What Went Down? The following KQL query is great for checking out your billable ingest patterns over the past quarter for Quarterly Business Reports and stuff. In this scenario, you run this query and discover a significant drop in billable ingest volume for a couple of weeks. You’re delivering the... [Read More]

  • Sentinel Cost Optimization Exercise Part 2

    Posted on May 17, 2023

    Introduction and Use Case: You have recently deployed Microsoft Defender for Endpoint. Before this, your workstations were reporting directly to Sentinel. Now that your workstations have 30 days of retention in the Defender for Endpoint product, why duplicate those workstation logs into your Sentienl ingest volume and pay twice? From... [Read More]

  • Sentinel Cost Optimization Part 2

    Posted on May 15, 2023

    Introduction and Use Case: Effective Per GB Price is a crucial part of any cost optimization exercise against your environment. How do you find your Effective Per GB Price and how do you use it to calculate how much stuff costs? [Read More]

  • Workspace Transformation Rules

    Posted on May 10, 2023

    Introduction and Use Case: Workspace Transformation Rules are a very effective way to fine tune your ingest volume. Perhaps you need data from the SecurityEvent table but not ALL of the EventIDs that go with it? Let’s take out the trash! [Read More]