Drowning in logs? You’re not alone. When on-premise systems spew unfiltered telemetry into Microsoft Sentinel, you end up with bloated dashboards, noisy detections, and a hemorrhaging Azure bill.
This guide is your antidote: a meticulous blueprint for curating log data — turning a chaotic flood into a lean, incisive signal stream that tells a story worth listening to.
Why Log Curation Is a Power Move
Microsoft Sentinel’s pricing model is tied to log ingestion volume, not outcomes. That means every redundant event, every low-severity blip, costs you time, clarity, and capital.
Here’s why curating your data is essential:
- 🧠 Clarity: Fewer distractions = faster decisions
- 💰 Savings: Reduced ingestion = reduced spend
- ⚔️ Precision: Less noise = stronger detections
✨ Bonus: Pair intelligent filtering with Sentinel Commitment Tiers, and you’ll enjoy tiered discounts based on predictable usage — maximizing value while minimizing waste.
Filter Logs at the Source First
On-prem devices often support granular log tuning. Start there — it’s the cleanest place to prune excess data.
🔸 Fortinet (FortiGate)
Limit logging to critical severity levels:
config log syslogd setting
set severity critical
end
Exclude noise like session logs:
config log setting
set fwpolicy-implicit-log disable
end
[Insert Screenshot of Fortinet GUI Logging Settings]
Let Your Syslog Forwarder Be Ruthless
If device-level filtering isn’t possible, make your Linux log forwarder the enforcer.
🔸 Example: rsyslog.conf Filter
if $msg contains 'debug' or $msg contains 'heartbeat' then stop
Forward only specific log types:
if $programname == 'sshd' and $msg contains 'Failed' then @127.0.0.1:25226
[Insert Diagram of Device → Syslog → Sentinel]
AMA + DCRs = Elegant Ingestion Control
Using Azure Monitor Agent? You can invoke Data Collection Rules (DCRs) for curated collection.
🔸 Targeted Windows Events
"streams": [
{
"stream": "Microsoft-Windows-Security-Auditing",
"eventIds": [4624, 4625, 4672]
}
]
Filter what you ingest — and nothing more.
Customize Ingestion With Code
For bespoke log sources, your pipeline is programmable. Use Azure Functions, scripts, or Logic Apps to selectively transmit.
🔸 Python Example
if "CRITICAL" in log_line or "FAILURE" in log_line:
send_to_sentinel(log_line)
Send what’s vital. Discard the static.
What to Ruthlessly Exclude
Here are prime candidates for exclusion — logs that rarely yield actionable intel:
| Source | Log Types to Skip |
|---|---|
| Fortinet | NAT/session logs, severity < 3 |
| Windows | 5156, 4688, 4662 (low signal) |
| Linux | Cron logs, routine SSH logins |
| Antivirus | “Clean” scans, signature updates |
| Custom Apps | Health checks, info/debug level |
Final Tips for Strategic Curation
- 🧪 Validate filters in a dev/test workspace
- 📊 Use Cost Analysis in Azure to find log hogs
- 🧱 Start broad, then fine-tune to your threat model
- 🚫 Don’t overfilter — always validate detection fidelity
The Takeaway: Curate With Courage
Smart logging isn’t about exclusion — it’s about intention. By curating your log data with foresight and finesse, you’ll forge a Sentinel environment that’s lean, luminous, and battle-ready.
🎯 Don’t forget: Sentinel Commitment Tiers + smart filtering = substantial cost savings with zero compromise on visibility.
Leave a Reply