RESOURCES
In this blog post, we explore the vital role of selective data collection in modern security operations and examine how Microsoft Azure Sentinel addresses this challenge using its powerful Data Collection Rules (DCRs). Whilst the discussion centres on Sentinel-specific examples, the insights presented are highly relevant for any organisation looking to enhance SIEM efficiency. Whether you're a security architect aiming to streamline detection or an MSSP customer focused on reducing data ingestion and operational costs, adopting a signal-driven logging strategy can yield substantial benefits. By being deliberate in what data is collected, organisations can lower overhead, sharpen threat detection, and ensure cost-effective log management.
Overview
Many SIEMs were initially deployed with good intentions — to collect as much data as possible in the hope of fine-tuning later.
But that tuning rarely happens.
That mindset still lingers in many environments. Logs are collected in bulk — every authentication event, every DNS lookup, every endpoint action — regardless of whether they support real detections, investigations, or compliance obligations.
In the cloud, data is a billing item, not a passive artifact. Ingestion costs scale with volume, not value. When teams fail to define what matters, they end up paying to collect noise — and then spend time maintaining analytics rules that sift through it.
This is the new normal:
- Cloud-first SOCs must be efficient-first
- Default logging is no longer the safe option — it's the expensive one
- High-value logging must lead every collection decision
That's where Data Collection Rules (DCRs) — Microsoft's terminology for its policy-based logging control mechanism — come in. They shift ingestion from a technical default to a deliberate strategy.
DCRs let you:
- Define what signal is essential for detection
- Enrich logs with context at the point of collection
- Route different data types to destinations that match their purpose
This could mean routing high-fidelity authentication logs into Sentinel for active correlation, whilst archiving verbose application logs in cold storage. Or sending a copy of critical asset telemetry to an MDR provider specialised in behavioural analytics.
In this new normal, logging is not a passive operation — it's a strategic control point.
With DCRs, you stop treating ingestion as a checkbox and start treating it as a reflection of your detection priorities.
What Are Data Collection Rules (DCRs)?
Data Collection Rules (DCRs) are Azure's mechanism for managing how logs are collected, filtered, transformed, and routed — before they ever reach Microsoft Sentinel. They are foundational to shaping a modern security data pipeline.
DCRs apply across agents, cloud-native services, and custom log sources. They determine what data flows where and under what conditions — not just for ingestion into Sentinel, but also for routing to archival storage or third-party systems.
What makes DCRs so valuable is that they operate before ingestion. Logs can be filtered, enriched, and shaped at the source, reducing unnecessary volume and ensuring that only relevant signal reaches your Log Analytics workspace.
For example, you might choose to collect only specific Windows Security Event IDs, or to route Application Gateway logs to storage instead of Sentinel to reduce cost.
DCRs also support basic transformations — flattening fields, dropping unused elements, or tagging logs with metadata — all of which reduce complexity for detection logic downstream.
At their core, DCRs give you control over:
- What logs are collected
- Where they are sent
- How they are shaped before arrival
Whether segmenting telemetry between production and test, or enforcing structured ingestion across your asset tiers, DCRs are no longer just a configuration option — they are the enforcement point for detection strategy, cost efficiency, and clarity.
Why Use DCRs for Sentinel?
In a modern, cloud-native SOC, collecting logs without filtering or intent is no longer sustainable. Microsoft Sentinel charges by data volume, so broad ingestion directly translates into higher operational costs — often without a corresponding gain in detection fidelity. Default collection settings can easily pull in noisy event streams or low-signal telemetry that analysts never use and detection rules never query.
Data Collection Rules (DCRs) address this by enabling teams to reverse this trend by focusing on log quality instead of log quantity. Instead of a "collect now, tune later" model, DCRs shift organisations toward selective, value-led ingestion. For example, you can scope collection to the log categories and event types that directly support your detection coverage, whilst excluding those that create cost and clutter.
In many cases, security teams operate across diverse environments — different tiers of infrastructure, different business units, or even different detection and response providers. DCRs support multi-destination routing, allowing organisations to:
- Ingest high-value telemetry into Sentinel
- Forward bulk or compliance-driven logs to low-cost storage
- Mirror critical events to an external SIEM or MDR partner for specialised analysis
This flexibility enables service segmentation, where detection responsibilities can be distributed between providers. For example, a central SOC might monitor core identities and cloud platforms, while an external MDR focuses on endpoint and threat intel fusion — each using the same telemetry, but routed according to scope.
DCRs also support enrichment at the ingestion point, which prepares logs before they ever reach Sentinel. This includes light transformations like:
- Adding metadata from tags (e.g., environment or owner labels)
- Unifying inconsistent field names for easier querying
- Removing irrelevant fields to reduce payload size
By handling this early in the pipeline, DCRs reduce the burden on analytics rules and KQL queries. Detection logic becomes leaner and more maintainable, and incidents are easier to triage when relevant context is already present in the raw data.
In short, DCRs help organisations optimise for both cost and clarity — filtering out noise, enriching signal, and giving teams the control to build smarter, more adaptable detection architectures.
Less noise. More signal. Cleaner detections. Lower cost.
How It Works
In security operations, the role of a DCR is to control the shape, volume, and destination of security-relevant data before it becomes part of your detection and response pipeline.
When a system generates a log — whether from a Windows server, Linux host, cloud service, or custom app — the Azure Monitor pipeline first checks for any Data Collection Rules (DCRs) that apply to that system or resource.
Once a DCR is defined, it's applied to a specific scope — typically a group of machines, systems, or cloud workloads that produce security-relevant logs. This lets you tune data policy based on the role or sensitivity of the system, not just its location or resource type.
If a DCR is assigned, the log data flows through three evaluation stages:
- Filtering: The DCR applies conditions such as Event IDs, log categories, or XPath expressions. If the data doesn't match, it's discarded at the edge — never ingested, never billed.
- Transformation (optional): Logs that pass the filter can be shaped before delivery. This includes operations like removing fields, renaming properties, or attaching metadata (e.g., labels from resource tags or external config).
- Routing: The shaped log is sent to one or more destinations. Common destinations include:
- Log Analytics (for Sentinel analytics and investigation)
- Azure Storage (for archival or regulatory retention)
- Event Hubs (for forwarding to third-party platforms)
This process happens in real time, before the data hits any detection logic or cost metre. The DCR acts as a policy gate at the point of collection — shaping and steering the log stream according to your design.
DCR evaluation is stateless and infrastructure-driven. Once assigned, it automatically applies to any log emitted by that resource, requiring no intervention from the host or the detection rules downstream.
-
Understanding Group Managed Service Accounts (gMSAs): Advantages Over Traditional Service Accounts
Nearly all breaches in the last decade were preventable. While intrusions, defence evasions, and human error can occur, good cybersecurity practices can stop threat actors from progressing along the kill chain before achieving their goals. We've been sharing best practices through Tips & Tricks LinkedIn posts to help our followers build cyber-resilient networks. Our VP of Product, Cumhur Hatipoglu, has written a new blog diving deeper into Group Managed Service Accounts (gMSAs)—one of our recent Tips & Tricks topics. This Microsoft feature provides enhanced protection against attack techniques including credential theft, dumping, lateral movement, and privilege escalation. Your detection and response teams and service providers should focus on handling sophisticated attacks that bypass internal defences—not the preventable ones.
-
Managing Cyber Risk with CTEM and Beyond
Cynode Ultima takes the complexity out of cyber threat management with its all-in-one security platform. Building on Gartner's CTEM framework, we've created a solution that brings together essential security tools - from threat intelligence and vulnerability prioritization to dark web monitoring and attack surface management - in one place. The article explores why organizations often struggle to implement security programs that meaningfully reveal their true risks and security gaps. We show how Ultima bridges this gap by providing an integrated approach that helps businesses understand and address their actual security exposures, making advanced threat management both accessible and actionable.
-
Investing in Dark Web Monitoring: A Practical Guide
Should you invest in a Dark Web Monitoring service? The answer is not as straightforward as you might think—it really depends. Whilst Dark Web Monitoring is undoubtedly valuable, where does it rank in your list of priorities? For instance, if you have a limited budget, should you invest in Dark Web Monitoring or a Security Awareness Programme? The answers to such questions vary for each organisation, but there are some general principles that can guide your decision-making process.
-
The Persistent Threat of Business Email Compromise
Business Email Compromise is a sophisticated type of email and identity based attack that doesn't rely on malware or malicious links. Instead, it leverages social engineering tactics to manipulate human trust and judgement. This makes BEC attacks particularly challenging to detect and prevent, even for organisations with robust protection infrastructures and cyber security awareness programmes.
-
The Risks of Increasing SaaS Use
Organisations increasingly rely on cloud applications, with small enterprises using over 20 SaaS apps per user and large companies exceeding 250 per company. This growth introduces significant cyber security risks, including unauthorised access and Shadow IT, where unsanctioned apps are used without oversight. To mitigate these risks, companies need advanced monitoring solutions like Cynode’s MDR for Cloud Apps Shadow IT, which offers visibility, consent policy enforcement, and threat detection across SaaS platforms, ensuring security and compliance.
-
Interview with Senior Cyber Advisor Per-Olov Kask
Delve into the fascinating career journey of a seasoned cyber security professional who has dedicated over three decades to the ever-evolving IT and cyber security landscape. Starting as an IT technician in 1993, our expert quickly rose through the ranks to become a country IT manager, driven by a passion for combating emerging cyber threats. In 2022, this journey led to an impactful role at Cynode as a Senior Cyber Advisor. Join us as we explore his experiences, insights, and the innovative approaches that make Cynode a leader in the cyber security field.
-
Regular EDR Policy Tuning
The cyber security world has recently focused on EDR technology due to its significant impact across industries. This post explores the evolution from early antivirus software to EDR platforms. Key milestones include the introduction of commercial antivirus software in 1987, the emergence of heuristic and behavioural detection methods in the early 2000s, and the development of Next-Gen Antivirus (NGAV) in 2010. EDR solutions, emerging around 2013, are crucial for detecting, investigating, and mitigating security threats but require regular policy updates and meticulous tuning for optimal performance.
-
Mastering Log Management: Enhancing SIEM and SOC Efficacy
Efficient log management is critical for SIEM and SOC efficacy. Challenges include log agent malfunctions, configuration errors, and network issues. This blog explores four log problem categories, from detection failures to incomplete logs, and introduces innovative solutions for proactive threat detection and response. Learn how Cynode's integrated threat simulation and log validation processes ensure optimal log coverage and enhanced security monitoring. Stay ahead of cyber threats with robust log management practices.
-
Understanding WebApp Exposure
WebApp Exposure Monitoring involves regular assessments and updates to perimeter defence platforms like WAF policies, ensuring alignment with the latest threat intelligence. Having a proactive stance to WebApp attacks is crucial as cyber threats incredibly fast, often outpacing traditional security defences. The process of continuously monitoring web applications allows organisations to more readily detect anomalies and respond to threats in real-time, minimising the risk of data breaches and other cyber incidents.
-
Introduction to Managed Security Service Providers (MSSPs)
Businesses increasingly struggle with cyber security management, especially with limited resources. Managed Security Service Providers (MSSPs) like Cynode offer comprehensive, efficient solutions, managing everything from security infrastructure to incident response, often using cloud services for cost efficiency. This article explores the benefits and services MSSPs provide, underscoring their importance in modern cyber security strategies.
-
Improving SIEM Efficacy as the Market Evolves
As the SIEM market evolves with new mergers and partnerships, Cynode supports practitioners to ensure no security event is missed, offering comprehensive services from threat-centric log and rule validation to complete SIEM management.
-
Welcome Konrad Falk as Our New Senior Cyber Advisor & Architect!
Konrad brings extensive experience in Cyber Security and IT, with a background in programming, networking, and security. Passionate about securing companies and educating others, he values the trust of our leadership and is eager to manage security incidents and tackle evolving threats hands-on.
-
“Trust me, I was an engineer” – Björn Nilsson
We are pleased to announce Björn Nilsson as the new Head of Security Operations Sweden at Cynode. His extensive experience in cyber security and IT infrastructure marks a significant milestone in enhancing our capabilities. Björn brings a wealth of expertise from various critical roles within the industry.
-
Cynode Boosts Team with Gustav Bivstedt's Technical Expertise
Cynode hires Gustav Bivstedt as a Cyber Advisor to enhance our Cyber Advisory and Assurance Services. His expertise strengthens our technical capacity and supports business growth, including new offerings in security testing, cyber maturity assessments, and proactive risk management with Cyber Threat Intelligence.
-
Meet our "VP of Product" Cumhur Hatipoglu
As Cynode’s CMO, I am constantly impressed by our team's innovation and engagement. Cumhur Hatipoglu, our new VP of Product, enhances our mission to innovate in cyber security and MDR services. His approach integrates NIST CSF and best security practices to ensure our solutions meet clients' evolving needs.
-
Hacking and Cyber Warfare Go Hand in Hand
Sweden, amidst its NATO application and tensions with Russia and Turkey, has experienced a rise in political cyber-attacks. Groups such as Anonymous have targeted governmental infrastructures, leading to data leaks. Escalation of cyber-crime and nation-state backed cyber warfare necessitates global enhancement of defense measures.
-
EU updates NIS Directive. Are you compliant?
The European Union introduced the NIS 2 Directive to improve the cyber security of critical infrastructure systems within its member states and to ensure that digital service providers and operators of essential services have adequate security measures in place to secure their networks and data.
-
Rise of Cyber Due Diligence in M&A Processes
Sweden's post-pandemic economic recovery has spurred M&As. Cynode emphasises integrating cyber due diligence to address vulnerabilities, protect essential information, and optimise security spending, enhancing the security posture before, during and after M&As.