Log Horizon connects to your Microsoft Sentinel workspace (and optionally Defender XDR), goes through every log table you’re ingesting, and tells you whether you’re getting security value from it or just burning money. It classifies tables, scores them against your detection rules, and gives you concrete recommendations with savings estimates.
Features
| Feature | Description |
|---|---|
| Classification Engine | 345-entry knowledge base covering 190+ connectors, 21 categories, with automatic heuristic fallback for unknown tables |
| Cost-Value Scoring | Per-table cost tier vs detection tier matrix with combined assessment (High Value → Low Value) |
| Recommendations | Prioritised actions: data lake candidates, zero-detection tables, XDR streaming waste, ingest-time filtering, retention shortfalls |
| Detection Mapping | Maps analytics rules, hunting queries, and XDR detections to each table to spot coverage gaps |
| Correlation Tags | Detects #DONT_CORR# / #INC_CORR# tags in rule descriptions and flags rules excluded from Defender correlation |
| Retention Compliance | Compares actual retention against recommended minimums based on industry standards and security best practices |
| SOC Optimisation | Pulls Microsoft’s own SOC improvement recommendations from the Security Insights API |
| Keyword Gap Analysis | Flag tables you should be ingesting but aren’t based on vendor/product keywords |
| Transform Discovery | Discovers Data Collection Rules (DCRs) and classifies ingest-time transforms (filter, projection, enrichment, aggregation) |
| Split Table Detection | Identifies _SPLT_CL split tables and links them back to parent tables in the classification engine |
| Split KQL Generator | Generates portal-ready split KQL from a curated knowledge base, live rule analysis, and community field frequency stats — condition-only format that pastes straight into the Sentinel split rule editor |
| Detection Analyzer | Scores analytic rules for potential noisiness using incident outcomes (auto-close ratio, false positive ratio, and incident volume percentiles) |
| XDR Checker | Adds an XDR-focused advisory layer: streaming coverage checks and one-year Data Lake retention guidance for XDR-related telemetry |
| Custom Classifications | Provide your own JSON to add or override the built-in classification database |
| Interactive TUI | Spectre.Console dashboard with menus, colour-coded tables, drill-downs, and ASCII art |
| Export | JSON, Markdown, or static HTML report for sharing with the team |