Event banner

Microsoft Sentinel Data Tiering Best Practices - Tech Community Live!

Event Ended
Tuesday, Oct 29, 2024, 09:00 AM PDT
Online

Event details

Discover the power of the new Auxiliary logs tier (Public Preview) and learn how to use Summary rules (Public Preview) to summarize data from any log tier in Microsoft Sentinel and Log Analytics. We’...
TrevorRusher
Updated Dec 27, 2024
microsoft sentinel
sylviahuang's avatar
sylviahuang
Copper Contributor
Oct 29, 2024
Are there any best practices for gathering these requirements, and are there calculators available to help determine the best data management options to meet the use case needs?
  • Matt_Lowe's avatar
    Matt_Lowe
    Icon for Microsoft rankMicrosoft
    Oct 29, 2024
    Leveraging use cases (MITRE Tactics, attack scenarios, industry requirements) is a good way to determine which data is needed and where it should land in terms of data tier. From there, it's about determining how often a SOC analyst may need that data. Is it for detections? Is it for monitoring in workbooks? Is it needed for investigation? That will help figure out if the data should be analytics (hot), basic (cool), or aux (cold). Regarding calculations, we recommend just using the public Azure calculator for Microsoft Sentinel/Azure Monitor. Please see: https://azure.microsoft.com/en-us/pricing/calculator/?msockid=2fe98aff6088637619829e7a61a562bd
  • GBushey's avatar
    GBushey
    Former Employee
    Oct 29, 2024
    There are no calculators although the SOC Optimization will say if a table hasn't been used and could be switched. It will really depend on the amount of data being ingested and what that data will be used for.
Date and Time
Oct 29, 20249:00 AM - 10:00 AM PDT