Seculyze provides full transparency into your Microsoft Sentinel log sources by displaying data on a table level, not just by general log source category. This enables you to understand exactly what data you’re ingesting, how much it’s costing, and how that maps to detection value. Crucial for informed decision-making and reporting.
Looking for "How to connect a Log Source Manually" ?
What Log Sources are Shown?
Seculyze displays two types of log sources in your workspace:
1. Active Log Sources
These are log sources (tables) that are currently ingesting data into your Microsoft Sentinel environment. Examples include:
Microsoft Azure logs, like
SecurityEventSAP logs, like
SAPAuditLogCisco, like
Cisco_Umbrella_dns_CLAuth0, like
Auth0AM_CL
These reflect your actual data usage and are the foundation of your cost and coverage analysis.
2. Available Azure Log Sources
These are potential log sources that are not currently enabled but are available due to your Azure setup. A common example is AzureActivity, which is often pre-integrated and easy to activate.
Showing both active and available log sources helps you plan ahead and understand what data you could bring in if needed.
Table-Level Granularity
Rather than showing logs at a high-level source name (e.g., “Firewall Logs”), Seculyze breaks it down to the individual table level. For example:
CommonSecurityLogmay contain data from multiple vendorsSeculyze separates these internally, so you can see per-vendor ingestion and cost
This approach gives you fine-grained visibility into which data sources are driving cost, and which are actively contributing to detections.
Cost Visibility
Each log source table includes an estimated ingestion cost, calculated using Microsoft pricing and ingestion volume data. This helps you:
Understand where your budget is being used
Compare ingestion cost against alert coverage
Present a value-based overview to management