KQL to show records and data size to estimate costs of Sentinel data storage

Cost Management & Microsoft Sentinel

Let’s talk about Microsoft Sentinel and managing costs. With cost being foundational pillar of Microsoft’s Well Architected Framework, part of good governance, and a major driver for product selection of SIEMs; let’s see if we can take some of mystery out of how to get started with managing costs in our favourite SIEM solution!

Posted on 7:35 am

Where to find Incident Investigation Artifacts in M365

A common challenge that security teams face is simply not knowing where all the artifacts can be found during an investigation. Microsoft Defender tools are capable of collecting a lot of data, and that can create questions during investigations of where is all this data and how do I find it quickly? Join me for a tour of the basics of Defender data retention periods and where to find that data.

Posted on 7:00 am

The Mysteries of Log Analytics Workspaces

Log Analytics workspaces provide a special way to store log data from multiple sources such as Microsoft Defender for Cloud, Azure Monitor, and so much more. A workspace typically combines data from multiple services and likely has it’s own distinct configuration for retention. I get a lot of questions about what the differences between workspaces within the Log Analytics scope are and why we would use them. Let’s take a look today at some of the information around Microsoft Azure Log Analytics Workspaces.

Posted on 8:56 pm