#Microsoft Sentinel #PowerShell #Data and logging #Cost Optimization

Tool Release: Log Horizon

loghorizon

So I made a thing. It’s called Log Horizon and it connects to your Microsoft Sentinel workspace, goes through every log table you’re ingesting, and tells you whether you’re getting security value from it or just burning money.

It ties in some of my earlier posts like the one on cost estimation in Microsoft Sentinel or the series on automating security monitoring. Cost estimation gives you the how much, detection engineering gives you the what for, but nothing really tied the two together into a single view. So that’s the gap I’m trying to bridge. Did I do it? Probably not, but you miss a hundred… yeah, that.

What is it?

Log Horizon is a PowerShell module that connects to your Microsoft Sentinel workspace (and optionally Defender XDR), pulls every log table you’re ingesting, and answers the question: is this table worth the money?

It does this through four phases:

  1. Data collection - pulls table usage, analytics rules, hunting queries, data connectors and SOC optimisation recommendations from the APIs
  2. Classification - classifies every table against a 344-entry knowledge base covering 190+ connectors, with heuristic fallback for anything not in the knowledge base
  3. Cost-value scoring - scores each table on ingestion cost vs detection coverage, producing assessments like High Value, Missing Coverage, or Data Lake Candidate
  4. Recommendations - generates prioritised, actionable recommendations with estimated savings

The idea is you run it, get a report, and have something concrete to bring into a meeting instead of waving your hands around saying “I think we might be overpaying”. It should also be a good tool for outfits where you don’t have too much manpower on the SecOps-side of things.

Quick example

Install-Module -Name Az.Accounts, Az.OperationalInsights, Az.SecurityInsights, PwshSpectreConsole -Scope CurrentUser

git clone https://github.com/lnfernux/log-horizon
Import-Module ./log-horizon/LogHorizon.psd1

Invoke-LogHorizon -SubscriptionId '<sub-id>' -ResourceGroup 'rg-sentinel' -WorkspaceName 'my-sentinel-ws'

You get a Spectre.Console TUI with coloured tables, a menu to dig into different views, and the option to export to JSON or Markdown. You can also throw in -Keywords 'CrowdStrike','AWS','Okta' to run a keyword gap analysis that flags tables you’re probably missing.

Why not just use the SOC Optimisation page?

Microsoft’s built-in SOC optimisation recommendations are great and Log Horizon actually pulls those in too. But they don’t give you the full picture. They won’t tell you that you’re spending 40 GB/day on a table with zero detections pointing at it, or that three of your high-volume tables are already covered by Defender XDR streaming and could be moved to a cheaper tier.

Log Horizon combines the cost dimension with the detection dimension and the classification dimension to give you a single view … ish.

Important caveat

This is a generic approach. The classifications are a starting point, not the final say. If you know a log source is critical to your environment, that context takes precedence over what the tool says. It’s meant to surface things you might have missed or haven’t reviewed in a while, not to replace your judgment.