Maximise value, minimise cost: a strategic log ingestion approach to Microsoft Sentinel | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Maximise value, minimise cost: a strategic log ingestion approach to Microsoft Sentinel

How can your organisation use Microsoft Sentinel and Microsoft funding to monitor and manage security threats?

Cyber Security

Calculator

Aoibhín Hamill

Cyber Security Sales Engineer

In the realm of cyber security, Microsoft Sentinel stands out as a powerful tool for monitoring and managing security threats. However, its efficacy hinges on the strategic ingestion of valuable log data. Simply feeding Sentinel with a haphazard collection of logs is not only inefficient but costly, given its consumption-based pricing model. To truly harness the potential of Sentinel, it is crucial to adopt a methodical approach to log ingestion, ensuring that the right data is captured to provide maximum visibility and value. 

The importance of selective log ingestion 

The core of Sentinel's value proposition lies in its ability to provide comprehensive visibility into your security landscape. However, this visibility is only as good as the data you feed into it. Ingesting logs without understanding their purpose can lead to unnecessary costs without enhancing your security posture. Therefore, the key to effective Sentinel deployment is to identify and prioritise the log sources that offer the most significant insights into your environment. 

Steps to optimise log ingestion 

1. Identify key stakeholders and assets

Begin by meeting with relevant stakeholders, including IT, security teams, and business leaders. The goal is to identify the critical assets and applications that require monitoring. Ask questions such as: 

  • Who are our VIPs within the organisation? 

  • What are our mission-critical applications? 

  • What is our access control policy, and how does this impact Role-Based Access Control (RBAC)? 

2. Define security objectives

Clearly outline what you aim to prevent and detect. This involves understanding the types of threats you are most concerned about and the indicators of compromise (IOCs) most relevant to your environment. Questions to consider include: 

  • What specific threats do we want to prevent and detect? 

  • How do we plan to detect these threats? 

  • How can we best secure assets that we can't fully protect, like legacy servers? 

3. Evaluate log sources 

Not all log sources are created equal. Evaluate each potential log source based on its ability to provide valuable insights. Consider the following: 

  • What information does this log source provide? 

  • Who benefits from this information? 

  • How long do we need to retain this data? 

4. Implement cost management strategies 

While cost caps can help manage expenses, they are not a silver bullet. Cost caps will stop the ingestion of chargeable logs once the cap is reached, potentially leading to gaps in visibility. Instead, focus on a balanced approach that includes: 

  • Prioritising high-value log sources. 

  • Implementing retention policies that align with your compliance and operational needs. 

  • Regularly reviewing and adjusting your log ingestion strategy to ensure it remains aligned with your security objectives and budget constraints. 

Practical tips for effective log management 

  • Regular reviews: periodically review your log ingestion strategy to ensure it remains relevant. As your organisation evolves, so will your security needs. 

  • Automation: leverage automation to streamline log management processes. Automated tools can help identify and prioritise log sources, reducing the manual effort required. 

  • Training and awareness: ensure that all stakeholders understand the importance of selective log ingestion and are trained on how to identify valuable log sources. 

Key considerations for estimating Sentinel costs 

Bear in mind that with calculators available online, there are some limitations. Some Azure and Microsoft 365 logs are free in Sentinel, but within an online calculator there’s rarely an option to determine what log source you’re counting - for example, determining Azure Activity logs (which are free), from AWS CloudTrail logs (which are chargeable). Similarly, online calculators often make assumptions based on the log retention and location of storage requirements. These options may be amendable according to your own needs but will require your input on the matter.  

Within our Managed Extended Detection and Response (MXDR) service we utilise an opensource tool named LogStash to tune logs before they hit the Sentinel platform. With this, we ensure only valuable information from noisy log sources are ingested. This method of ingestion is also not applicable to an online calculator.  

How much will Sentinel actually cost?  

To get the closest possible indication, turn it on and start ingesting! For those who can’t stretch the budget that far, we recommend beginning with a pilot project.  

For your pilot project, start by selecting a representative sample of your network or specific log sources to ingest for a defined period – this could be 30, 60, or 90 days. Monitor these costs during this time to gain a clear understanding of your expenses. Once you have a good grasp of the associated costs and feel confident in managing them, gradually add more log sources based on their priority and value. This phased approach allows you to benchmark costs effectively, making it easier to track when new log sources are added and how they impact overall expenses.   

Conclusion 

Maximising the value of Microsoft Sentinel requires a strategic approach to log ingestion. By identifying and prioritising high-value log sources, defining clear security objectives, and implementing effective cost management strategies, organisations can enhance their security posture while managing costs. Regular reviews and leveraging automation can further optimise this process, ensuring that Sentinel delivers the visibility and insights needed to protect your organisation effectively. 

By following these guidelines, you can ensure that you get the best bang for your buck with Microsoft Sentinel, achieving comprehensive visibility and robust security without unnecessary expenditure. 

How can Microsoft’s funding options help you get the best value from your security investments? 

To learn more about how you can optimise your Microsoft spend and explore funding options that could benefit your organisation, watch our Softcat webinar “Maximising your cyber security investments with Microsoft” here.  

This webinar will help you better understand the options available to your organisation and enable you to use the funding effectively. You will also gain a comprehensive understanding of how to engage with Softcat's teams and programmes.