Managing logs in a SIEM environment can be challenging, especially when aiming to design a solution that is extensible, highly available, future-proof, and reasonably priced. In this third installment of the ‘Powerful Capabilities of Data Collection Rules’ series, I show how the …

In the last post, we looked at the ‘Direct’ DCR that simplifies API-based data ingestion. Today, we’re looking at the AgentDirectToStore Data Collection Rule type, which gives you more options for where to send your data. The ‘AgentDirectToStore’ DCR lets the Azure …

DCRs are the modern backbone of data ingestion for Azure Sentinel, replacing legacy methods with a scalable, flexible, and consistent approach that uses a common data ingestion pipeline for all data sources. DCRs enable advanced filtering, transformation, and routing of data before it even hits your …

In my previous post, I demonstrated how to set up basic aggregated logging for firewall events using Fluent Bit, effectively reducing log ingestion costs in a way similar to Sentinel’s Summary rules. In this follow-up, I will walk you through a practical solution for storing these logs …

As companies grow and adopt new IT solutions, they naturally generate more data—and with that comes rising data storage costs. This is where telemetry data management or telemetry data pipeline tools come into play. These tools can help by trimming down unnecessary data or moving less critical …

When it comes to managing logs in Microsoft Sentinel, shared tables like Syslog, CommonSecurityLog, and AzureDiagnostics often serve as the default destinations for consolidating data from various solutions. While forwarding logs to these tables aligns with Microsoft’s ‘best …

Azure Policies are an excellent tool for standardizing and scaling your environment within Azure. They can be used to configure log collection from Azure resources to Microsoft Sentinel. While you can manually set up log collection if your Azure environment is small, a growing cloud presence will …

DCRs and their ingestion-time transformations have been around for quite a while. They are commonly used in modern Sentinel deployments, but I’ve utilized several specific configurations that are particularly useful during SIEM onboarding, migration, and troubleshooting scenarios. The primary …