Blog Post

Microsoft Sentinel Blog
3 MIN READ

Introducing Microsoft Sentinel Optimization Workbook

JeremyTan's avatar
JeremyTan
Icon for Microsoft rankMicrosoft
Aug 23, 2023

Optimizing Microsoft Sentinel ingestion cost, improving operational efficiency, and enhancing threat management is crucial for several reasons. Each of these contributes to enhancing the overall efficiency, cost-effectiveness, and efficacy of an organization's security operations. To assist with these challenges, we are introducing the Optimization Workbook.

 

This workbook aims to empower security teams by providing invaluable insights into your Microsoft Sentinel environment and offering recommendations to enhance cost efficiency, operational effectiveness, and overall management overview.

 

The Three Pillars of Insight:

 

At the core of the Microsoft Sentinel Optimization Workbook are three comprehensive tabs: Cost and Ingestion Optimization, Operational Optimization and Effectiveness, and Management and Acceleration.

 

Each tab includes a Summary section that provides an overview filled with high-level insights, presented through tiles displaying useful high-level information. More detailed information related to the summary can be found in the Details section. Here, you'll discover comprehensive data and practical recommendations that complement the insights from the summary.

 

 

1. Cost and Ingestion Optimization:

 

Gaining a clear understanding of cost management is crucial for any organization's security strategy. The Cost and Ingestion Optimization tab of the workbook offers a detailed analysis of your current Microsoft Sentinel environment, providing recommendations on how to optimize costs while ensuring efficient data ingestion. Harnessing the power of this tab will help you make informed decisions on resource allocation and budgeting, ultimately saving you time and resources.

 

In the tab, you will find information related to the following:

  • Top ingestions
  • Ingestion anomalies
  • Pricing sku & commitment tier
  • E5 benefit utilization
  • Basic logs
  • Active restoration
  • Search job
  • Data collection rules & ingestion transformation

 

Here are some sample charts you will find in the tab. These insights provide visibility into the most significant data sources, detect irregular patterns in data ingestion, help users understand their pricing model and commitment level, and highlight key findings that enable effective cost management and optimization.

 

 

 

 

 

 

2. Operational Optimization and Effectiveness:

 

To stay protected against the ever-evolving cybersecurity landscape, operational optimization is key. This tab is designed to provide you with a comprehensive overview of your operational efficiency, empowering you to identify potential bottlenecks and areas for improvement.

 

Below is a list of insights you will find in this tab, which, armed with these insights, can help your security team enhance its response time and ensure your organization remains one step ahead of potential threats.

  • Number of incidents with Automation used
  • Number of incidents without Automation used
  • Mean time to respond with Automation
  • Average time to acknowledge
  • Average time to closure
  • Mean time to respond without Automation
  • Mean time to response with tasks
  • Highest mean timne to response
  • Closing classifications over time
  • Alerts over time per severity
  • Incidents over time per severity
  • Incidents owned per user
  • Failed Analytics
  • Top modified rules

 

For example, here are some of the charts you will find in the workbook. By understanding the number of incidents with and without Automation, mean time to respond, and other time-related metrics, the security team can identify areas where operational efficiency can be improved. They can focus on reducing response times, promptly acknowledging incidents, and streamlining incident closure processes.

 

 

 

 

 

 

3. Management and Acceleration:

 

Leading and managing security operations efficiently is a challenging task. The Management and Acceleration tab of the Microsoft Sentinel Workbook provides a panoramic view of your threat management.

 

Below is a list of details available in this tab, giving you the insights to make well-informed decisions and foster accelerated growth.

  • Workspace & Table Retention
  • Microsoft Defender for Cloud Benefits
  • Automation Rules
  • Playbooks
  • Workbooks
  • Threat Intelligence Indicators
  • Watchlists
  • Analytics Rules

 

Here are some sample charts you will find in the workbook. The panoramic view of Microsoft Sentinel and threat management provided by the tab offers a holistic understanding of the organization's security landscape. This enables the security team to grasp the bigger picture and identify potential areas of concern.

 

 

 

 

 

Prerequisite:

 

To visualize data under the 'Operational Optimization and Effectiveness' and 'Management and Acceleration' tabs, it is necessary to have auditing and health monitoring data.
Follow the instructions on how to Turn on auditing and health monitoring for Microsoft Sentinel.

 

 

Getting started with the workbook:

 

  • Search for the 'Microsoft Sentinel Optimization Workbook' in the Content hub and install the solution.

 

  • After that, click on 'Configuration,' or go to the Workbooks blade, and you will find the workbook under 'Templates.' Proceed to save the workbook, and it will be available under 'My Workbooks.'

 

 

 

 

 

 

Special thanks to Matt_Lowe  and MargaretMwaura  for their collaborations on this workbook.

Updated Aug 22, 2023
Version 1.0

9 Comments

  • Ian Noble's avatar
    Ian Noble
    Copper Contributor

    JeremyTan Is there any reason why I can't locate this workbook in the Gallery?

     

    Apologies - answered my own question..... Searched in the Content Hub, as you described, there it is 🤦

     

  • JRitola's avatar
    JRitola
    Copper Contributor

    Excellent workbook. I would appreciate, if you could add support for Azure Lighthouse / cross-tenant queries on next release. That saves my time as a MSSP a lot if I can run this workbook without need for installing it on every sentinel and changing directories all the time.

    • pmillingham's avatar
      pmillingham
      Copper Contributor

      Hi JRitola, you can edit the saved workbook by editing the subscription parameter. See the attached screenshot

       

  • JamieLiu5005's avatar
    JamieLiu5005
    Brass Contributor

    Is this Workbook included both MS Sentinel and its Log Analytics Workspace ingestion?

  • Thank you for sharing this suggestion with us SocInABox. We will definitely take your suggestion into consideration as we continue to enhance it.

  • SocInABox's avatar
    SocInABox
    Iron Contributor

    What would be a super addition to this is recommendations for unnecessarily high volume log sources.

     For example, for the top 10 log sources or event types, if there are known disadvantages to those event types give tips such as:

    Cisco session setup/teardown events: indicates debug level is enabled, so "consider changing log level from debug to informational".

    AWS cloudtrail api events: "consider using the defender for cloud apps aws connector/alerts instead of cloudtrail logs"

    Windows server firewall logs: "consider defender for endpoint alerts instead of local firewall logs"

    etc.