Microsoft Sentinel usage can get out of control when dealing with large amounts of data. Using a SIEM like Sentinel it’s important to understand how much your data ingestion costs are. Ingestion can be very demanding on server resources in the processing, cataloguing and storage of this data. Its very important to not overload your systems with irrelevant data.
Some helpful strategies to minimise cost;
Consider your application log verbosity levels and whether that data is relevant to your SIEM environment.
Use syslog collectors to filter out log data before reaching Sentinel. This can help to minimise your overall data usage.
https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
Use tagging for data enrichment to minimise the amount of data ingested. Sentinel has the ability to tag events with information using “tags” to “enrich” data. you can use this to save money on ingestion.
consider the bellow auth.log entry.
Jan 01 00:00:01 User102 CRON[8345]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
this can be changed to:
Jan 01 00:00:01 User102 CRON[8345]: Event{1}
Sentinel can tag this log data using the “Event{1}” unique identifier and expand on this other data specified in the rule. This data will appear in Sentinel with all appropriate information, but you saved money on the overall ingestion cost.