Skip to content

SOC Optimization

Use this tool to find opportunities for cost savings and improvements to your threat coverage. Common recommendations you will see here are:

Low usage tables

This may flag if there are no Analytic rules or threat detections on the table for the past 30 days. If you see this it is probably time to evaluate if you need the data or if your analytic rules are working as intended. If you need the data but not for security reasons consider moving the data to a cheaper option for log ingestion as Sentinel analytic logs have a premium cost.

Unquried tables

If you have a table that is not being queried then again you are ingesting data at a premium cost that is not being utilized. Consider adding Analytic rules or again changing to a cheaper log ingestion type.

Threat coverage

Microsoft makes recommendations for certain types of threat coverage such as for Mass Credential Harvest. You will see a radar graph showing the tactics they recommend having Analytic rules to help protect your environment. Clicking the Content hub button will show you items they recommend adding for improved coverage. This is helpful however keep in mind some of the recommendations will be for tables you don't have data for.