Hi all. Sentinel bill is getting harder to defeend and i am tring to be smart about Analytics tier , Basic , Auxillary or...just dropping? (for me, is not a real option. But the others say this).

Right now everything go in Analytics. SigninLogs , AADNonIteractive, OfficeActivity , SecurityEvent, MDE tables, plus network and firewall. NonInteractive is almost half of the volume and i dont know how much real detection value we really get.

Thinking to move AADNonIteractive to Auxillary. If you did this, what detections did you lose? Worth it? Anyone using summary rules (at scale) , it is reliable or buggy? How agresive with DCR transformations. ADX for retention only or you actually run detections on it?

Please. not looking for "Turn It Off" advice , thanks.

Hi all,, we have problem with too much noise in our sign in risk rules and the SOC team is very tired of false positives. What is best way for tuning the scheduled analytics rules? Better to use entity mapping with grouping , or make a Watch list for the service accounts we know are good to exclude them ? Also someone is using NRT rules for high fidelity detections without making the ingestion cost explode? thanks