• Workspace Transformation Rules

    Posted on May 10, 2023

    Introduction and Use Case: Workspace Transformation Rules are a very effective way to fine tune your ingest volume. Perhaps you need data from the SecurityEvent table but not ALL of the EventIDs that go with it? Let’s take out the trash! [Read More]

  • Sentinel Cost Optimization

    Posted on April 24, 2023

    Introduction and Use Case: You’ve just deployed Microsoft Sentinel to your Log Analytics Workspace… now what? How do you know this is an efficient setup? Let’s take a walk on the LEAN side. [Read More]

  • Kql Detective Part 2

    Posted on April 21, 2023

    Recap: In my last post, we leveraged the awesome power of KQL to investigate the drop in billable LogManagement ingest volume illustrated below (left side). During this investigation, we noticed a sudden increase in Security ingest volume toward the end of March. In this post, we’re going to track down... [Read More]

  • Kql Detective Part 1

    Posted on April 19, 2023

    Introduction and Use Case: So you’re a new kid on the SOC and Accounting is freaking out about a massive unexpected increase in their Sentinel ingest cost (or a sudden decrease, both are covered in detail) - and demanding an explanation. This is a step-by-step guide to leveraging KQL for... [Read More]