Maximizing Microsoft Sentinel Log Storage with ADX

January 31, 2024 | 2 min read

Micah Heaton

Executive Director, Managed Security Center of Excellence

Micah Heaton Square Calcite Duotone

Microsoft synthesizes roughly 65 trillion signals every day. All that security data makes Microsoft Sentinel one of the top SIEM solutions worldwide. Behind the scenes, there are many ways to ensure Microsoft Sentinel delivers optimal threat detection for your organization. That includes ensuring all security logs are centrally ingested, analyzed, and stored on Sentinel.

At a high level, that seems like the best strategy – keep everything on Sentinel. After some log and detection optimization, Sentinel will deliver one of the highest security postures available at a controllable and manageable cost.

But an 'ingest-everything' strategy isn't always practical for larger organizations, where weekly volumes are measured in TBs, not GBs. Not only are valuable security analysts wasting resources managing mountains of data with limited threat detection value, but the cost of storing all that data can reach tens to hundreds of thousands of dollars per month.

Microsoft Azure ADX clusters offer a more cost-efficient log storage alternative to Sentinel. The challenge is creating a system that manages which logs are sent to ADX and also copied to Sentinel. Moreover, things change. 'Set it and forget it' only works for a while before someone needs to adjust that system without breaking it. That also includes ensuring that all log feeds remain connected and healthy and that the ADX cluster works as it should.

One might recommend sending low or no security value logs to a slow, deep archive, but that usually doesn't work. Although many logs have low threat detection value, they are needed for investigations, forensics, retro-hunting, or compliance.

The result is that organizations keep all their logs, regardless of threat detection value, on Sentinel. It's easier and sometimes more cost-efficient than splitting logs between Sentinel and ADX.

BlueVoyant helps clients of all sizes make intelligent decisions about log ingestion. As part of our Microsoft MXDR service, we assist organizations with innovative strategies to make data storage costs easy to control and predict.

But for larger clients that collect TBs of log data every week, managing logs on both Sentinel and ADX is not a simple task; it requires expertise, management, and around-the-clock monitoring.

BlueVoyant's Microsoft Advanced Log Routing with ADX is a new managed service. It brings a standardized way for large organizations to store logs on a lower-cost ADX storage option to streanline costs. Only logs with threat detection value are duplicated to Sentinel. By reducing the volume and types of data entering Sentinel, valuable security analysts only need to focus on data that helps detect threats and not waste resources managing data with little or no immediate security value. Moreover, BlueVoyant will manage the environment so that in-house security teams don't need to.

With our BlueVoyant Microsoft Advanced Log Routing with ADX service, we will deploy our BlueVoyant virtual Log Collector, configure the ADX environment, connect logs, and configure management policies. We'll also implement ADX-specific functions in Microsoft Sentinel to enable searching of the data retained in the ADX environment. That includes managing the ADX cluster and monitoring ADX event logs to ensure the ADX infrastructure remains secure and healthy.

Using ADX to store security logs isn't always practical and doesn't always result in improved cost efficiency. But for larger organizations with substantial volumes of data, it can reduce security op-ex, which could be used to streamline other security operations or further harden existing safeguards.