In this session, Koos unravels the secrets of efficient and cost-effective log storage for security logs (a.k.a. Security Data Lake).

He'll explain why Microsoft Sentinel isn’t always the best destination for ALL security logs, particularly "chatty" logs like network or firewall data.

Koos will highlight the benefits of Azure Data Explorer, offering limitless storage at a fraction of the cost while retaining the power of Kusto Query Language (KQL) for seamless data exploration.

He demonstrates how to build a multi-tiered log architecture with multiple tiers of logging value and shows how security analysts can retrieve logs from multiple destinations directly within the Defender XDR UI.

Koos also clarifies the differences between "parse on ingest" and "parse on query" for custom logs, outlining how each approach can enhance architecture.

Finally, he explores how Elastic Logstash simplifies log distribution across multiple sources and destinations, proving to be the Swiss Army knife of logging solutions.

The session includes several demos where Koos showcases free PowerShell tools he has developed over the years to optimize and deploy solutions at scale with ease.

Key takeaways:
- The pros and cons for each Sentinel Table tier (Analytics, Basic, Auxiliary).
- Why Azure Data Explorer (ADX) might be a perfect companion alongside Sentinel.
- How to create a multi-tiered log architecture with multiple destinations. And how security analysts can explore data from all of them (including ADX) straight from Defender XDR.