Read about assessing the value of alert rules here
Understanding Your Log Sources
Seculyze streamlines your log source configuration, ensuring you derive maximum value with minimal expenditure. You are able to:
Pinpoint the value of each individual Log Source
Follow our recommendations for optimizing the use of Log Source
Our approach evaluates each log source by analyzing its cost against its contribution to alert rules. By plotting these factors on a value matrix, we can determine the log source's overall worth.
Cost: Actual costs of the log source - or estimated if it is not enabled. It is based on list prices and do not have individual discounts included.
Gain: The amount of alert rules mapped to the log source. It is Microsoft indigenous alert rules and not custom alert rules.
A log source with high alert rule contribution and low actual or estimated cost is deemed high-value, indicating critical data flow at optimal expense. Conversely, a log source characterized by low amount of alert rule attributions and high actual or estimated costs is considered low-value, often indicating an area for potential savings.
The Importance of Log Source Value Assessment
In the context of Microsoft Sentinel, log sources are the channels for data inflow. These include native connectors for Microsoft solutions and other types like Syslog, CEF, and REST APIs. By assessing the value of each log source, you can make informed decisions to activate or deactivate them, optimizing your system’s performance and cost management.
Evaluating Your System
To assess your log sources' value:
Navigate to 'Log Sources' under the 'Health' tab.
Review the value assessment and act accordingly, typically enabling or disabling the log source as recommended.
Alternatively, apply all suggestions from the summary section for a comprehensive adjustment.
Learn more about enabling log sources manually here