top of page
Search

Smarter SOC, Lower Costs: A Guide to Sentinel Optimization

Security operations center (SOC) teams are constantly looking for ways to improve their work and results. A big part of this is making sure they have the right data to handle risks without paying for more data than necessary. SOC teams also need to be able to quickly change their security tools and settings as threats and business needs change. This helps them get the most value for their effort and investment.

SOC optimizations are recommendations that are easy to act on. They show you ways to make your security controls work better, helping you get more value from Microsoft security services over time. These recommendations are designed to help you:

  • Reduce costs without negatively impacting your SOC's needs or coverage.

  • Add necessary security controls and data where needed.

  • Ensure you have the data needed to address risks without extra ingestion costs.


The recommendations are specially made for your environment, considering what security you already have and the current threats you face. They help you fill gaps in your security coverage against specific threats and reduce how much data you bring in if it doesn't add security value. SOC optimizations help you make your Microsoft Sentinel workspace better without your SOC team having to spend lots of time manually looking for problems and solutions.

You can find SOC optimization available within Microsoft Sentinel in the Microsoft Defender portal and in the Azure portal.


What are SOC Optimizations?

Think of SOC optimizations as actionable advice from Microsoft security services. They are built to help you gain more value from your security setup over time.

Specifically, they:

  • Show you ways to optimize your security controls.

  • Help you close gaps in your security coverage against particular threats.

  • Suggest how to tighten data ingestion for data that doesn't provide much security value.

  • Help you optimize your Microsoft Sentinel workspace without requiring manual analysis and research from your SOC team.


These recommendations are designed to save your SOC team time and effort while making your security posture stronger and potentially reducing costs.


Accessing and Understanding SOC Optimization

To use SOC optimization, you'll need standard Microsoft Sentinel roles and permissions. If you want to use it in the Defender portal, you first need to connect Microsoft Sentinel to the Defender portal.

You can find SOC optimization in two main places:

  • In the Microsoft Defender portal, select SOC optimization.

  • In Microsoft Sentinel in the Azure portal, under Threat management, select SOC optimization.

Once you're on the SOC optimization page, you'll see overview metrics at the top of the Overview tab. These metrics give you a quick look at how well you're using your data and your overall optimization status.

Here are some of the key metrics you might see:

  • Recent optimization value: This shows the value you've gained from recommendations you've recently put into action.

  • Data ingested: This shows the total amount of data brought into your workspace over the last 90 days (in the Defender portal) or three months (in the Azure portal).

  • Threat-based coverage optimizations: Gives you an indicator (High, Medium, or Low) based on how many of Microsoft's recommended analytics rules you have turned on.

  • High: Over 75% of recommended rules are active.

  • Medium: 30% to 74% of recommended rules are active.

  • Low: 0% to 29% of recommended rules are active6. You can select View all threat scenarios to see the complete list of relevant threat and risk scenarios, the rules you have active versus those recommended, and your coverage levels.

  • Optimization status: This shows you the number of recommended optimizations that are currently active, those you've completed, and those you've dismissed.


Deep Dive into Recommendation Types

SOC Optimization recommendations fall into several helpful categories to cover different areas of improvement.


Data value recommendations

These suggestions focus on how you're using your data to maximize its security value or how you might use a better data plan.

They look at billable tables that have received data in the last 30 days.

Examples of observations and suggested actions:

  • Observation: A table wasn't used by detections in the last 30 days, but was used by other things like dashboards (workbooks) or manual searches (queries).

  • Action: Turn on analytics rule templates that use this table, OR move the table to a basic logs plan if it's eligible.

  • Observation: A table wasn't used at all in the last 30 days.

  • Action: Turn on analytics rule templates OR stop bringing in data for that table or move it to long-term storage.

  • Observation: A table was only used by Azure Monitor, not for security detection.

  • Action: Turn on any relevant analytics rule templates that use this table for security, OR move the table to a Log Analytics workspace that isn't for security.

  • There's also a preview feature for Unused columns. For example, if the Conditional Access Policies column in SignInLogs isn't being used, the recommendation is to stop ingesting data for just that column.

  • Important: Before making changes to data plans, always make sure you understand the limits of your plan and if the data is needed for compliance or other reasons.


Coverage-based recommendations

These help you fill in security gaps against specific threats or situations that could lead to business risks.

This category includes a few types:

  • Threat-based recommendations: Based on Microsoft's security research, these suggest adding more detections and data sources to help you catch different types of attacks.

  • They look at your data and enable rules that are different from what's needed for certain attacks.

  • They consider both the rules Microsoft provides and the custom rules you create.


Examples of observations and actions:

  • Observation: You have the data source, but you're missing detections that use it.

  • Action: Turn on analytics rule templates related to that threat.

  • Observation: You have the detection templates turned on, but you're missing the necessary data source.

  • Action: Connect new data sources.

  • Observation: You don't have the detections or the data sources.

  • Action: Connect the necessary data sources and detections or install a security solution that provides them.

AI MITRE ATT&CK tagging recommendations (Preview)

This feature uses artificial intelligence to suggest tagging your security detections that don't have MITRE ATT&CK tactics and techniques assigned.

  • This helps ensure your security coverage is thorough and precise, improving threat detection and response.

  • You can apply these recommendations to a specific rule, all rules, or choose not to apply them.


Risk-based recommendations (Preview)

These look at real-world security situations and the potential business risks they could cause (like operational, financial, reputation, compliance, or legal risks).

  • They compare your data and rules to what's needed to protect against and respond to attacks that could cause these risks.

  • Examples of observations and actions are similar to Threat-based recommendations.


Similar organizations recommendations

This uses advanced machine learning to find data tables that are missing from your workspace but are being used by other organizations that are similar to yours (based on how they bring in data and their industry). It suggests connecting those data sources and turning on related rules to improve your security coverage.

Important things to know:

  • The machine learning model never looks at the actual content of your logs. It only uses information about your organization and system details.

  • Not every workspace will receive these recommendations. They are more likely for SOCs that are newer or still setting things up than for very mature SOCs.

  • These recommendations don't include custom data sources or tables used by fewer than 10 workspaces.


Viewing and Managing Recommendations

SOC optimization recommendations are updated about every 24 hours.

You'll find the list of recommendations in the Your Optimizations area (in the Defender portal) or on the SOC optimization > Overview tab (in the Azure portal). Each card for a recommendation shows its status, title, when it was created, a brief description, and which workspace it applies to.

You can filter the recommendations by their type (like Coverage or Data value) or search for a specific title.

To learn more about a recommendation, select View details on its card. This shows you why the recommendation was made and the value you could get from doing what's suggested. For threat-based recommendations, you can also see charts showing your coverage across different MITRE ATT&CK tactics and techniques and jump directly to the MITRE ATT&CK page filtered for that threat scenario. You can also view the full threat scenario details, including active and recommended detections, and easily jump to the Content Hub or MITRE ATT&CK page from there.

To take action, scroll down in the details pane to find links. For example, you might see links to Go to Content Hub to add recommended analytics rules or Change the plan to move a data table to basic logs. If you install an analytics rule template from the Content hub, it's a good idea to install the full solution it came from to get all related content items.


As you work on recommendations, you can manage their status. By default, recommendations are Active. You can change them to In progress if you're working on them or Completed when you're done. If your environment changes in a way that makes a recommendation no longer relevant (like if you start using a previously unused table), the optimization might be automatically completed. You'll see a banner on the Overview tab if optimizations have been automatically completed since your last visit. You can also Dismiss recommendations if you don't plan to take action on them.

You can see your Completed and Dismissed optimizations on separate tabs. From there, you can Reactivate an optimization if needed. Reactivating triggers a recalculation to give you the most current details, which can take up to an hour. An optimization that is reactivated might even go back to the Completed tab if it's still not relevant after recalculation. You can also provide feedback about recommendations to the Microsoft team.


Example Usage Flow

Here's a simple way you might use SOC optimization:

Go to the SOC optimization page and first look at the metrics at the top to get a sense of your overall status.

Review the list of recommendations, paying attention to both data value and threat-based coverage suggestions.

  • Address data value issues: Look for recommendations about tables that aren't used much. View the details to see how much data size and cost are involved.

  • Decide on an action: maybe add analytics rules that use that table (you can go directly to the right rules in the Content Hub), or consider changing the data plan for that table.

  • Address coverage gaps: Look for recommendations related to specific threats, like "human-operated ransomware". View the details to see your current coverage and how it could improve. You can view the MITRE ATT&CK technique improvements to understand the specific gaps. Then, go to the Content Hub directly from the recommendation to find and activate the suggested security content, which is already filtered for you.

After you've taken action, you can mark the recommendation as completed, or the system might automatically update its status after your changes are detected.


Advanced Usage: Programmatic Access (Preview)

For those who want more flexibility or need to manage optimizations across many workspaces, there's the Microsoft Sentinel recommendations API (Preview). This allows you to interact with SOC optimization recommendations using code.

You can use this API for things like:

  • Creating custom reports and dashboards. For example, the Microsoft Sentinel Optimization Workbook uses this API.

  • Connecting with other tools you use, like SOAR (Security Orchestration, Automation, and Response) or ITSM (IT Service Management) services.

  • Getting automated, real-time access to optimization data and triggering evaluations when needed.

  • Managing recommendations scalably across multiple workspaces, which is great for organizations or partners (MSSPs) handling many environments.

  • Exporting data for auditing, keeping records, or tracking how things change over time.

Using the API, you can get a list of all recommendations, get details for a specific recommendation using its ID, update a recommendation's status, or manually tell the system to reevaluate a recommendation after you've made changes.

The Microsoft Sentinel Optimization Workbook is a ready-to-use example that visualizes this data using the API. You can install it in your workspace and customize it.


Conclusion

Microsoft Sentinel SOC optimization is a powerful tool designed to help your security team work smarter and more effectively. Providing tailored, actionable recommendations helps you achieve more precision-driven security management. It works to improve efficiency, potentially reduce costs, significantly enhance threat coverage, and ultimately streamline your security operations.

bottom of page