Skip to main content
All CollectionsCalibrate
Log Source Value Assessment
Log Source Value Assessment

Optimize Microsoft Sentinel data connectors with Seculyze's log source value assessment

Updated over 10 months ago

Read about assessing the value of alert rules here

Understanding Your Log Sources

Seculyze streamlines your log source configuration, ensuring you derive maximum value with minimal expenditure. You are able to:

  • Pinpoint the value of each individual Log Source

  • Follow our recommendations for optimizing the use of Log Source

Our approach evaluates each log source by analyzing its cost against its contribution to alert rules. By plotting these factors on a value matrix, we can determine the log source's overall worth.

  • Cost: Actual costs of the log source - or estimated if it is not enabled. It is based on list prices and do not have individual discounts included.

  • Gain: The amount of alert rules mapped to the log source. It is Microsoft indigenous alert rules and not custom alert rules.

A log source with high alert rule contribution and low actual or estimated cost is deemed high-value, indicating critical data flow at optimal expense. Conversely, a log source characterized by low amount of alert rule attributions and high actual or estimated costs is considered low-value, often indicating an area for potential savings.

The Importance of Log Source Value Assessment

In the context of Microsoft Sentinel, log sources are the channels for data inflow. These include native connectors for Microsoft solutions and other types like Syslog, CEF, and REST APIs. By assessing the value of each log source, you can make informed decisions to activate or deactivate them, optimizing your system’s performance and cost management.

Evaluating Your System

To assess your log sources' value:

  1. Navigate to 'Log Sources' under the 'Health' tab.

  2. Review the value assessment and act accordingly, typically enabling or disabling the log source as recommended.

  3. Alternatively, apply all suggestions from the summary section for a comprehensive adjustment.

Did this answer your question?