In today’s evolving threat landscape, Security Operations Center (SOC) teams face constant pressure. You’re tasked with improving processes, efficiently managing vast amounts of security data, and rapidly adapting your defenses to new threats. All this needs to be done while controlling costs and demonstrating value. It’s a significant challenge to ensure you have all the necessary data to address risks without incurring unnecessary ingestion costs. This is where Microsoft Sentinel SOC optimization comes in. Designed to help SOC teams navigate these complexities, it offers a way to gain more value from your Microsoft security services. The primary goals are clear: reduce costs without negatively impacting your SOC’s effectiveness or coverage, and strategically add security controls and data where they are most needed. You can access SOC optimization in both the Microsoft Defender portal and the Azure portal.
Table of Contents
What is Microsoft Sentinel SOC Optimization?
Getting Started: Access and Setup
Understanding the Dashboard Metrics
Types of Recommendations
Managing Recommendation Status
Sample Optimization Workflow
Advanced: API Access for MSSPs
Conclusion
Key Takeaways
Sentinel SOC Optimization helps reduce costs and close security gaps.
Recommendations are tailored to your environment using real-time insights.
Two main types: Data Value (cost-saving) and Coverage-Based (threat protection).
Metrics like data usage, optimization value, and threat coverage help guide action.
You can manage, dismiss, or complete recommendations in a few clicks.
Advanced users can use the Sentinel API for automation and multi-tenant scaling.
Regular use improves security efficiency and ROI on Microsoft tools.
What is SOC Optimization in Microsoft Sentinel?
At its core, Microsoft Sentinel SOC optimization provides actionable recommendations that highlight ways to improve your security controls. These recommendations are not generic; they are tailored specifically to your environment and are informed by your current security coverage and the global threat landscape. By offering these targeted suggestions, SOC optimizations save your team valuable time that would otherwise be spent on manual analysis and research.
The service is available in both the Azure portal and, for those who have onboarded it, the Microsoft Defender portal.
Getting Started with SOC Optimization
To begin using this powerful feature, ensure you have the necessary standard Microsoft Sentinel roles and permissions. If you plan to use it within the Defender portal, you’ll also need to onboard Microsoft Sentinel to that portal. Accessing the SOC optimization page is straightforward:
In the Defender portal, simply select SOC optimization from the menu.
In Microsoft Sentinel in the Azure portal, navigate to Threat Management and select SOC optimization.
Once your workspace is onboarded for unified security operations, the SOC optimizations will even incorporate coverage insights from across Microsoft security services.
Understand the SOC Optimization Overview
The first thing you’ll see is the Overview tab, which provides key metrics offering a high level view of your data usage efficiency and optimization status. These metrics are dynamic and will change as you implement recommendations.
Key metrics include
Recent optimization value: This shows the value gained from recently implemented recommendations.
Data ingested / Ingested data over the last 3 months: Displays the total data ingested in your workspace over the last 90 days (Defender portal) or three months (Azure portal).
Threat-based coverage optimizations: An indicator (High, Medium, Low) reflecting the percentage of activated analytics rules compared to recommendations from the Microsoft research team. A ‘High’ indicator means over 75% of recommended rules are active, ‘Medium’ is 30%-74%, and ‘Low’ is 0%-29%. You can select View all threat scenarios to see detailed information about the relevant threat and risk-based scenarios, active and recommended detections, and coverage levels.
Optimization status: Shows the count of recommendations that are currently Active, Completed, and Dismissed.
Types of SOC Optimization Recommendations
Microsoft Sentinel SOC optimization provides different categories of recommendations to address both cost and coverage needs.
Data Value Recommendations
These recommendations focus on helping you improve your data usage to maximize security value or suggesting a better data plan. The goal is to optimize your cost/security value ratio. These recommendations specifically look at billable tables that have ingested data within the past 30 days.
Common observations and suggested actions include:
Observation: The table wasn’t used by analytics rules or detections in the last 30 days but was used by other sources (like workbooks or queries).
Action:Turn on relevant analytics rule templates or, if eligible, move the table to a basic logs plan.
Observation: The table wasn’t used at all in the last 30 days.
Action:Turn on relevant analytics rule templates, or stop data ingestion and remove the table, or move it to long-term retention.
Observation: Azure Monitor only used the table.
Action:Turn on any relevant analytics rule templates for tables with security value or move the data to a non-security Log Analytics workspace.
There are also recommendations for Unused columns (Preview). For example, if the Conditional Access Policies column in SignInLogs or AADNonInteractiveUserSignInLogs isn’t being used, the recommendation is to stop data ingestion for that specific column.
Important Note: Before making any changes to ingestion plans, it’s crucial to understand your ingestion plan limits and ensure the affected tables aren’t required for compliance or similar reasons.
Coverage-Based Recommendations
These recommendations are designed to help you close security gaps against specific threats or scenarios that could lead to business risks.
Threat-based recommendations
Using a threat-based approach and based on Microsoft’s security research, these suggest adding security controls (like detections and data sources) to help close gaps for various attack types. They analyze your ingested logs and enabled rules against what’s needed for specific attacks, considering both predefined and user-defined detections. Actions include turning on analytics rule templates, connecting new data sources, or installing a solution.
AI MITRE ATT&CK tagging recommendations (Preview)
This feature uses AI to automatically suggest tagging untagged security detections with relevant MITRE ATT&CK tactics and techniques. This helps ensure your security coverage is complete and accurate. You can choose to apply these recommendations to a specific rule, all rules, or none.
Risk-based recommendations (Preview)
These recommend implementing controls to address coverage gaps linked to real-world scenarios associated with business risks such as Operational, Financial, Reputational, Compliance, and Legal risks. They are based on comparing your logs and rules against what’s needed for specific attack types that might cause these risks, considering both predefined and user-defined detections. Actions are similar to threat-based recommendations: turn on analytics rule templates, connect new data sources, or install a solution.
Similar Organizations Recommendations
Leveraging advanced machine learning, SOC optimization can identify log sources that are missing from your workspace but are used by organizations with similar ingestion trends and industry profiles. It then suggests connecting these data sources and related rules to enhance your security coverage. These recommendations are based on ML identifying significant similarities and missing tables. They are more likely to appear for less mature SOCs, and not all workspaces will receive them. The ML models do not access or analyze the content of customer logs or personal data (EUII); they rely solely on Organizational Identifiable Information (OII) and system metadata. Certain data source types are excluded, like custom connectors or tables used by fewer than 10 workspaces.
Viewing and Managing Recommendations
Recommendations are listed in the Your Optimizations area (Defender portal) or on the Overview tab (Azure portal). These recommendations are calculated every 24 hours. Each recommendation card shows the status, title, creation date, a brief description, and the applicable workspace.
You can easily filter optimizations by type (Coverage or Data value) or search by title. To get more details, select View details on an optimization card. This shows you the observation that led to the recommendation and the potential value of implementing it in your environment. For threat-based optimizations, you can see coverage across MITRE ATT&CK tactics and techniques, and jump directly to the MITRE ATT&CK page or the Content Hub.
Taking Action on Recommendations
Links to perform the recommended actions are conveniently located at the bottom of the details pane.
– If the recommendation is to add analytics rules, select Go to Content Hub. – If the recommendation is to move a table to basic logs, select Change Plan.
For threat-based coverage optimizations, selecting View full threat scenario lets you see the full list of relevant threats, active and recommended detections, and coverage levels. From there, you can go directly to the Content hub to activate recommended detections or to the MITRE ATT&CK page to view coverage. Note that installing a template from the Content hub only adds the template; you need to install the full solution to get all associated content items.
Managing Optimization Status
Recommendations start with an Active status. As your team works on them, you can change their status. Available actions include: Complete: Use when you’ve finished the recommended actions. Optimizations can also be automatically completed if environmental changes make them irrelevant.
Mark as in progress / Mark as active: Use to indicate that someone is actively working on the recommendation.
Dismiss: Use if you don’t plan to take the recommended action and want to remove it from the main list.
Provide feedback: Share your thoughts with the Microsoft team.
You can view completed and dismissed optimizations on separate tabs. You can also reactivate a completed or dismissed optimization, which triggers a recalculation to ensure the information is up-to-date.
Sample SOC Optimization Usage Flow
Here’s a typical way a SOC team might use Microsoft Sentinel SOC optimization:
1. Start by reviewing the top metrics on the SOC optimization dashboard to get an overview.
2. Review the optimization recommendations, focusing on Data value and Coverage-based types.
3. Identify tables with low usage using the recommendations. View the details to see the size and cost of unused data.
4. Based on the data value recommendations, decide on an action: – Add analytics rules by going directly to the Content Hub via the link provided. If new rules need more data, consider ingesting those sources. – Change the commitment tier for cost savings.
5. Use coverage recommendations to improve defenses against specific threats (e.g., human-operated ransomware).
6. View details to see current coverage and suggested improvements. Analyze MITRE ATT&CK techniques or go to the Content hub to find filtered recommended security content.
7. After implementing changes, mark the recommendation as completed or allow the system to update automatically.
Advanced Usage: Programmatic Access (Preview)
For more advanced users or for MSSPs managing multiple environments, the Microsoft Sentinel recommendations API (Preview) allows you to interact with SOC optimization recommendations programmatically. This enables tasks like: – Building custom reports and dashboards. – Integrating with third-party tools like SOAR or ITSM services. – Gaining automated, real-time access to optimization data. – Managing recommendations across multiple workspaces scalably. – Exporting data for auditing, archiving, or trend tracking.
Note that this API is currently in PREVIEW and requires using API version 2024-01-01- preview or later. You can use the API to get lists of recommendations, get specific recommendations, update their status, or manually trigger an evaluation. The Microsoft Sentinel Optimization Workbook utilizes this API to visualize SOC optimization data, offering a starting point for creating custom dashboards.
Conclusion
Microsoft Sentinel SOC optimization is a vital tool for any SOC looking to enhance efficiency and effectiveness. By providing practical, actionable recommendations, it helps teams reduce costs by optimizing data ingestion and close security gaps by improving threat and risk coverage. Leveraging this feature allows your SOC to gain more value from your security investments and stay better protected against the evolving threat landscape.
A Practical Guide to Microsoft Sentinel SOCOptimization: Reduce Costs and Close SecurityGaps
In today’s evolving threat landscape, Security Operations Center (SOC) teams face constant pressure. You’re tasked with improving processes, efficiently managing vast amounts of security data, and rapidly adapting your defenses to new threats. All this needs to be done while controlling costs and demonstrating value. It’s a significant challenge to ensure you have all the necessary data to address risks without incurring unnecessary ingestion costs.
This is where Microsoft Sentinel SOC optimization comes in. Designed to help SOC teams navigate these complexities, it offers a way to gain more value from your Microsoft security services. The primary goals are clear: reduce costs without negatively impacting your SOC’s effectiveness or coverage, and strategically add security controls
and data where they are most needed. You can access SOC optimization in both the Microsoft Defender portal and the Azure portal.
Table of Contents
Key Takeaways
What is SOC Optimization in Microsoft Sentinel?
At its core, Microsoft Sentinel SOC optimization provides actionable recommendations that highlight ways to improve your security controls. These recommendations are not generic; they are tailored specifically to your environment and are informed by your current security coverage and the global threat landscape. By offering these targeted suggestions, SOC optimizations save your team valuable time that would otherwise be spent on manual analysis and research.
The service is available in both the Azure portal and, for those who have onboarded it, the Microsoft Defender portal.
Getting Started with SOC Optimization
To begin using this powerful feature, ensure you have the necessary standard Microsoft Sentinel roles and permissions. If you plan to use it within the Defender portal, you’ll also need to onboard Microsoft Sentinel to that portal.
Accessing the SOC optimization page is straightforward:
Once your workspace is onboarded for unified security operations, the SOC optimizations will even incorporate coverage insights from across Microsoft security services.
Understand the SOC Optimization Overview
The first thing you’ll see is the Overview tab, which provides key metrics offering a high level view of your data usage efficiency and optimization status. These metrics are dynamic and will change as you implement recommendations.
Key metrics include
Recent optimization value: This shows the value gained from recently implemented recommendations.
Data ingested / Ingested data over the last 3 months: Displays the total data ingested in your workspace over the last 90 days (Defender portal) or three months (Azure portal).
Threat-based coverage optimizations: An indicator (High, Medium, Low) reflecting the percentage of activated analytics rules compared to recommendations from the Microsoft research team. A ‘High’ indicator means over 75% of recommended rules are active, ‘Medium’ is 30%-74%, and ‘Low’ is 0%-29%. You can select View all threat scenarios to see detailed information about the relevant threat and risk-based scenarios, active and recommended detections, and coverage levels.
Optimization status: Shows the count of recommendations that are currently Active, Completed, and Dismissed.
Types of SOC Optimization Recommendations
Microsoft Sentinel SOC optimization provides different categories of recommendations to address both cost and coverage needs.
Data Value Recommendations
These recommendations focus on helping you improve your data usage to maximize security value or suggesting a better data plan. The goal is to optimize your cost/security value ratio. These recommendations specifically look at billable tables that have ingested data within the past 30 days.
Common observations and suggested actions include:
There are also recommendations for Unused columns (Preview). For example, if the Conditional Access Policies column in SignInLogs or AADNonInteractiveUserSignInLogs isn’t being used, the recommendation is to stop data ingestion for that specific column.
Important Note: Before making any changes to ingestion plans, it’s crucial to understand your ingestion plan limits and ensure the affected tables aren’t required for compliance or similar reasons.
Coverage-Based Recommendations
These recommendations are designed to help you close security gaps against specific threats or scenarios that could lead to business risks.
Threat-based recommendations
Using a threat-based approach and based on Microsoft’s security research, these suggest adding security controls (like detections and data sources) to help close gaps for various attack types. They
analyze your ingested logs and enabled rules against what’s needed for specific attacks, considering both predefined and user-defined detections. Actions include turning on analytics rule templates, connecting new data sources, or installing a solution.
AI MITRE ATT&CK tagging recommendations (Preview)
This feature uses AI to automatically suggest tagging untagged security detections with relevant MITRE ATT&CK tactics and techniques. This helps ensure your security coverage is complete and accurate. You can choose to apply these recommendations to a specific rule, all rules, or none.
Risk-based recommendations (Preview)
These recommend implementing controls to address coverage gaps linked to real-world scenarios associated with business risks such as Operational, Financial, Reputational, Compliance, and Legal risks. They are based on comparing your logs and rules against what’s needed for specific attack types that might cause these risks, considering both predefined and user-defined detections. Actions are similar to threat-based recommendations: turn on analytics rule templates, connect new data sources, or install a solution.
Similar Organizations Recommendations
Leveraging advanced machine learning, SOC optimization can identify log sources that are missing from your workspace but are used by organizations with similar ingestion trends and industry profiles. It then suggests connecting these data sources and related rules to enhance your security coverage. These recommendations are based on ML identifying significant similarities and missing tables. They are more likely to appear for less mature SOCs, and not all workspaces will receive them. The ML models do not access or analyze the content of customer logs or personal data (EUII); they rely solely on Organizational Identifiable Information (OII) and system metadata. Certain data source types are excluded, like custom connectors or tables used by fewer than 10 workspaces.
Viewing and Managing Recommendations
Recommendations are listed in the Your Optimizations area (Defender portal) or on the Overview tab (Azure portal). These recommendations are calculated every 24 hours. Each recommendation card shows the status, title, creation date, a brief description, and the applicable workspace.
You can easily filter optimizations by type (Coverage or Data value) or search by title.
To get more details, select View details on an optimization card. This shows you the observation that led to the recommendation and the potential value of implementing it in your environment. For threat-based optimizations, you can see coverage across MITRE ATT&CK tactics and techniques, and jump directly to the MITRE ATT&CK page or the
Content Hub.
Taking Action on Recommendations
Links to perform the recommended actions are conveniently located at the bottom of the details pane.
– If the recommendation is to add analytics rules, select Go to Content Hub.
– If the recommendation is to move a table to basic logs, select Change Plan.
For threat-based coverage optimizations, selecting View full threat scenario lets you see the full list of relevant threats, active and recommended detections, and coverage levels. From there, you can go directly to the Content hub to activate recommended detections or to the MITRE ATT&CK page to view coverage. Note that installing a template from the Content hub only adds the template; you need to install the full solution to get all associated content items.
Managing Optimization Status
Recommendations start with an Active status. As your team works on them, you can change their status.
Available actions include:
Complete: Use when you’ve finished the recommended actions. Optimizations can also be automatically completed if environmental changes make them irrelevant.
Mark as in progress / Mark as active: Use to indicate that someone is actively working on the recommendation.
Dismiss: Use if you don’t plan to take the recommended action and want to remove it from the main list.
Provide feedback: Share your thoughts with the Microsoft team.
You can view completed and dismissed optimizations on separate tabs. You can also reactivate a completed or dismissed optimization, which triggers a recalculation to ensure the information is up-to-date.
Sample SOC Optimization Usage Flow
Here’s a typical way a SOC team might use Microsoft Sentinel SOC optimization:
1. Start by reviewing the top metrics on the SOC optimization dashboard to get an overview.
2. Review the optimization recommendations, focusing on Data value and Coverage-based types.
3. Identify tables with low usage using the recommendations. View the details to see the size and cost of unused data.
4. Based on the data value recommendations, decide on an action:
– Add analytics rules by going directly to the Content Hub via the link
provided. If new rules need more data, consider ingesting those sources.
– Change the commitment tier for cost savings.
5. Use coverage recommendations to improve defenses against specific threats (e.g., human-operated ransomware).
6. View details to see current coverage and suggested improvements. Analyze MITRE ATT&CK techniques or go to the Content hub to find filtered recommended security content.
7. After implementing changes, mark the recommendation as completed or allow the system to update automatically.
Advanced Usage: Programmatic Access (Preview)
For more advanced users or for MSSPs managing multiple environments, the Microsoft Sentinel recommendations API (Preview) allows you to interact with SOC optimization recommendations programmatically.
This enables tasks like:
– Building custom reports and dashboards.
– Integrating with third-party tools like SOAR or ITSM services.
– Gaining automated, real-time access to optimization data.
– Managing recommendations across multiple workspaces scalably.
– Exporting data for auditing, archiving, or trend tracking.
Note that this API is currently in PREVIEW and requires using API version 2024-01-01- preview or later. You can use the API to get lists of recommendations, get specific recommendations, update their status, or manually trigger an evaluation.
The Microsoft Sentinel Optimization Workbook utilizes this API to visualize SOC optimization data, offering a starting point for creating custom dashboards.
Conclusion
Microsoft Sentinel SOC optimization is a vital tool for any SOC looking to enhance efficiency and effectiveness. By providing practical, actionable recommendations, it helps teams reduce costs by optimizing data ingestion and close security gaps by improving threat and risk coverage. Leveraging this feature allows your SOC to gain more value from your security investments and stay better protected against the evolving threat landscape.
Categories
Recent Posts