I am setting up Sentinel to monitor security events from domain controllers on our network. I am just wondering what others are doing in terms of collection. Do you use All, Minimal, Common, in The Data Collection Rule, or some sort of custom selection of event IDs? DC security logs are pretty noisy once configured properly for auditing so I am looking to maximise visibility while at the same time minimize cost. I'd be grateful for any advice or tips. Also what are your favourite analytics rules for detecting threats from the DC logs?