#Microsoft Sentinel #PowerShell #Data and logging #Cost Optimization

Log Horizon Update 0.5.0: HTML Export, Transform Insights, and Hardening

I have been iterating daily on Log Horizon since the initial release, so it thought I’d summarize some of the changes in one article.

The short version is this: reporting is now easier to share, transform analysis is much deeper, retention and correlation context is clearer, and the module is safer to run in automation.

I’m not nearly done yet, some of the things I’m working on is:

  1. Recommendations for XDR tables (we want to keep data over 30 days default also here)
  2. Detection analysis - sure, you have 200 rules and great MITRE coverage, but are 90% of those rules closed by automation rules, or SOAR as a known false/benign positive?
  3. The Full Control Encounter or FCE.
    • A Wizard that can be called with -Wizard or -Shiroe (he’s the main character of the series Log Horizon, and also the person who uses the Full Control Encounter) that helps you create a custom baseline file that can be used with Log Horizon!

Have other ideas? Reach out to me on bluesky and let me know.

What changed

From 0.2.1 to 0.5.0, the work has focused on four things:

  • Better decisions: stronger table analysis, split-table logic, and transform visibility.
  • Better reporting: cleaner markdown, full-fidelity KQL in outputs, and fully self-contained HTML export.
  • Better safety: stricter handling of tokens, output paths, and HTML content.
  • Better repeatability: non-interactive execution support and stronger test coverage.

Biggest improvements

The 0.5.0 release introduced the biggest practical jump for day-to-day use.

  • Static HTML export is now fully self-contained with pure CSS tabs, no JavaScript, and no CDN dependencies. That makes reports easier to archive and share in locked-down environments.
  • Markdown and HTML now use a unified section renderer, so output consistency is better and maintenance is simpler.
  • JSON capture is now complete for dataTransforms, correlationExcluded, correlationIncluded, and streamingTables, which is useful if you want to post-process results in pipelines.
  • Full KQL text now shows up in DCR transform reporting without truncation, and multiline KQL behaves correctly in markdown tables.
%%{init: {'themeVariables': {'cScale0': '#355c4a', 'cScaleLabel0': '#e4e4e7'}}}%%
timeline
	title Log Horizon progression (0.2.1 to 0.5.0)
	0.2.1 : Custom classifications, active-only default, improved SOC recommendation detail
	0.2.2 : Narrow-console table usability improvements
	0.3.0 : Retention compliance analysis and correlation tag handling
	0.4.0 : DCR transform discovery, split-table detection, split KQL helper
	0.4.1 : Security hardening and stability fixes
	0.5.0 : Self-contained HTML export, complete JSON capture, CI-friendly non-interactive mode

Security and stability upgrades

0.4.1 was mostly about hardening.

  • Token memory sanitization was added to reduce leakage risk in long sessions.
  • Output path validation and HTML XSS protections were tightened.
  • REST API pagination got limits to prevent accidental overreach.
  • Module loader error masking was fixed, and PSScriptAnalyzer warnings were cleaned up.

There were also two subtle but important reliability fixes in 0.5.0:

  • A regex $ backreference corruption bug in HTML token replacement was fixed.
  • Internal helper names were changed (h to hEnc, md to mdEsc) to avoid alias conflicts in PowerShell sessions.

Workflow and analysis improvements

The 0.3.0 and 0.4.0 releases added the analysis depth I wanted from the start.

  • Retention assessment now includes compliance context aligned to CISA M-21-31, NIST SP 800-92, NCSC-UK, ASD ACSC, and NSA guidance.
  • Correlation tags (#DONT_CORR#, #INC_CORR#) are now detected and reflected in analysis.
  • Transform discovery now includes DCR listing and transform-type classification.
  • Split table detection (_SPLT_CL) and the split KQL helper (with 15-table knowledge base plus fallback analysis) make optimization suggestions much more actionable.
  • The portal-ready condition-only KQL output and expandable recommendation handling improved the “take this into action” path.
flowchart LR
	A[Sentinel workspace tables] --> D[Log Horizon analysis]
	B[DCR transforms] --> D
	C[Rules and hunting coverage] --> D
	E[Retention and correlation tags] --> D
	F[Custom classifications] --> D

	D --> G[Cost vs detection scoring]
	D --> H[Split table and transform insights]
	D --> I[Retention compliance assessment]

	G --> J[Markdown report]
	H --> J
	I --> J
	G --> K[Self-contained HTML report]
	H --> K
	I --> K
	D --> L[Complete JSON export]

Test coverage and reliability

0.5.0 added 33 new Pester tests, bringing the total to 106. More coverage means fewer surprises when this runs in scheduled jobs and CI pipelines.