• Kql Detective Part 3

    What Went Down? The following KQL query is great for checking out your billable ingest patterns over the past quarter for Quarterly Business Reports and stuff. In this scenario, you run this query and discover a significant drop in billable ingest volume for a couple of weeks. You’re delivering the... [Read More]
  • Sentinel Cost Optimization Exercise Part 2

    Introduction and Use Case: You have recently deployed Microsoft Defender for Endpoint. Before this, your workstations were reporting directly to Sentinel. Now that your workstations have 30 days of retention in the Defender for Endpoint product, why duplicate those workstation logs into your Sentienl ingest volume and pay twice? From... [Read More]
  • Sentinel Cost Optimization Part 2

    Introduction and Use Case: Effective Per GB Price is a crucial part of any cost optimization exercise against your environment. How do you find your Effective Per GB Price and how do you use it to calculate how much stuff costs? [Read More]
  • Workspace Transformation Rules

    Introduction and Use Case: Workspace Transformation Rules are a very effective way to fine tune your ingest volume. Perhaps you need data from the SecurityEvent table but not ALL of the EventIDs that go with it? Let’s take out the trash! [Read More]