New features in Sentinel to optimize storage and alert coverage
Without a doubt, SOC Optimization has been one of my favorite additions to Sentinel this year. If you’re unfamiliar with it, SOC Optimization is a new(ish) feature that is designed to give some practical steps to take to improve your SIEM - either by helping you reduce storage costs or increase coverage against attacks. Check out my previous blog for a deeper dive here.
But today, let’s talk about some additional yummy goodness that’s been added to the feature. The first is about how SOC Optimization works with Auxiliary Logs. Previously, the recommendations from SOC Optimization focused on identifying unused tables and suggesting that you increase your usage by implementing some analytic rules or by switching the tables’ commitment tier to Basic Logs.
With the latest Public Preview update, you might also get a recommendation that eligible tables can be moved to Auxiliary Logs. Aux Logs are an affordable low-cost data tier in Microsoft Sentinel that are designed for verbose logs like network, firewall and proxy logs. So, moving data to a less expensive data tier can be a great way to optimize your SIEM costs.
Another new Public Preview update for SOC Optimization is called Recommendations Based on Similar Organizations. These recommendations leverage machine learning to suggest which data you should ingest, based on similarities with organizations that are in comparable industries to yours and have similar ingestion patterns.
We’ll suggest out-of-the-box rules for each recommended table, along with insights into the percentage of organizations using them for detection and investigation purposes. This will help streamline the process of deciding which tables you need and which analytic rules to turn on.
I hope you’ll check out these new features to help you get the most value from Sentinel that you can. SIEMs need constant care and feeding. They’re kind of like a new puppy that way.
happy holidays everyone!
Great write up on these new features in SOC Optimisation, I find this blade in Sentinel really useful for seeing gaps in detections. These gaps could be filled by out of the box content that’s already available on Content Hub. This I a really useful feature in Microsoft Sentinel.
Thanks for the write up. 🤗