PRISM — Security Data Value Intelligence

Total Logs Ingested

4.2

GB / day

↑ 18% YoY

Total SIEM Cost

$3.8M

per year

↑ 24% YoY

GB Utilisation

—

of entitlement

—

Reduction Opportunity

47%

of ingest is low-value

— baseline

Potential Savings

$1.8M

per year

↓ risk-neutral

Detection Coverage

68

/ 100 score

↑ 5 pts

Investigation Readiness

72

/ 100 score

↑ 3 pts

CISO Briefing Note

Your organisation is ingesting 4.2 TB/day across 22 log sources at a combined SIEM + data lake cost of $5.0M/year. Analysis shows 47% of ingested volume is generated by sources with fewer than 5 detections annually and zero investigation usage. Rationalising these sources using AI-driven telemetry classification can recover $1.8M/year without material impact to detection capability or MITRE ATT&CK coverage. The top 4 high-value sources — Entra ID, CrowdStrike, DNS, and Azure Activity — account for 83% of all detections at only 18% of total ingest cost. Conversely, Palo Alto Traffic Logs alone consume $600k/year while contributing fewer than 5 detections.

01

What security data am I paying for?

22 active sources · $5.0M total spend · 4.2 TB/day

02

Which logs actually detect threats?

4 sources drive 83% of detections — Entra ID leads at 120/yr

03

Which logs help investigations?

6 sources are investigation-critical — DNS + Proxy most queried

04

Which logs are low utility?

9 sources have 0 detections, 0 investigations, 0 compliance value

05

How much can I save without increasing risk?

$1.8M/year identified savings · No impact to detection coverage · Full MITRE coverage maintained across critical tactics

Log Source Value Scorecard 22 SOURCES

Scored by detections · investigations · cost efficiency · compliance

Log Source	GB/Day	Annual Cost	Detections	Investigations	Value Score	Rating
Entra ID (Azure AD)	50	$80k	120	85	95	● High Value
CrowdStrike EDR	40	$60k	95	70	90	● High Value
Azure Activity Logs	25	$35k	65	55	87	● High Value
DNS Logs	30	$40k	45	30	80	● High Value
Email Security (Defender)	20	$30k	38	22	75	● High Value
Proxy / Web Gateway	80	$95k	28	40	65	● Medium Value
VPN / Remote Access	15	$22k	20	18	60	● Medium Value
AWS CloudTrail	35	$50k	15	20	58	● Medium Value
Palo Alto Traffic Logs	500	$600k	5	3	25	● Low Value
Legacy Firewall (Cisco ASA)	200	$240k	2	1	15	● Low Value
NetFlow / IPFIX	300	$360k	0	2	10	● Low Value
Legacy App Syslog	150	$180k	0	0	5	● Low Value

Cost Per Detection BY LOG SOURCE

Bar width = relative cost per detection. Best = narrow green. Worst = full red.

Azure Activity

$538

CrowdStrike

$632

Entra ID

$667

DNS Logs

$889

Email Security

$3,393

Proxy Logs

$3,571

Legacy Firewall

$120,000

Palo Alto Traffic

$120,000

Efficient (<$1k)

Moderate ($1k–$10k)

Low Utility (>$10k)

Cost Per Investigation BY LOG SOURCE

Bar width = relative cost per investigation. Best = narrow green. Worst = full red.

CrowdStrike

$857

VPN Logs

$1,222

Entra ID

$941

DNS Logs

$1,333

Proxy Logs

$2,375

AWS CloudTrail

$2,500

Palo Alto Traffic

$200,000

Legacy App Syslog

NO USAGE

∞

Efficient (<$2k)

Moderate ($2k–$10k)

Low Utility (>$10k)

ROI Summary by Source COMPOSITE

Log Source	Annual Cost	Detections	Investigations	Cost / Detection	Cost / Investigation	ROI Signal
Azure Activity Logs	$35k	65	55	$538	$636	● Excellent
CrowdStrike EDR	$60k	95	70	$632	$857	● Excellent
Entra ID (Azure AD)	$80k	120	85	$667	$941	● Excellent
DNS Logs	$40k	45	30	$889	$1,333	● Strong
Proxy / Web Gateway	$95k	28	40	$3,393	$2,375	● Moderate
AWS CloudTrail	$50k	15	20	$3,333	$2,500	● Moderate
Legacy Firewall (ASA)	$240k	2	1	$120,000	$240,000	● Critical Low Utility
Palo Alto Traffic	$600k	5	3	$120,000	$200,000	● Critical Low Utility
NetFlow / IPFIX	$360k	0	2	∞	$180,000	● No Value

Critical Detection Sources PROTECT — DO NOT REMOVE

Entra ID (Azure AD)

120 detections85 investigations

If removed → 38% of all detections fail. MFA bypass and brute force attacks become invisible.

★ CRITICAL — MAINTAIN

CrowdStrike EDR

95 detections70 investigations

If removed → 30% of detections fail. Ransomware and malware execution become invisible.

★ CRITICAL — MAINTAIN

DNS Logs

45 detections30 investigations

If removed → C2 beaconing detection eliminated. DNS tunnelling becomes invisible.

★ CRITICAL — MAINTAIN

Azure Activity Logs

65 detections55 investigations

If removed → Cloud resource abuse and privilege escalation become invisible.

★ CRITICAL — MAINTAIN

Rationalisation Candidates ACTION REQUIRED

Palo Alto Traffic Logs

5 detections500 GB/day · $600k

No compliance requirement. Filter to deny/alert traffic only. 60% volume reduction achievable.

▼ SAMPLE 60%

Legacy Firewall (Cisco ASA)

2 detections200 GB/day · $240k

Device decommission scheduled Q3. Archive cold logs only — remove active SIEM ingestion.

▼ ARCHIVE

NetFlow / IPFIX

0 detections300 GB/day · $360k

Zero investigations in 12 months. No compliance mapping. No analyst queries in 90 days.

✕ REMOVE

Legacy App Syslog

0 detections150 GB/day · $180k

Zero analyst queries in 90 days. No compliance requirement. Pure ingest cost.

✕ REMOVE

Analyst Query Volume — Last 90 Days SOC USAGE

Entra ID

8,000

CrowdStrike

6,500

Azure Activity

5,800

DNS Logs

4,800

Email Security

4,000

Proxy Logs

2,800

AWS CloudTrail

2,000

VPN Logs

1,200

Palo Alto Traffic

12

NetFlow / IPFIX

4

Legacy Firewall

0

Legacy App Syslog

0

Incident Case Source Usage — 90 Days CASE LINKAGE

Source	Incidents Referenced	Cases Opened	Avg Queries/Case
Entra ID	42	38	210
CrowdStrike	38	35	186
DNS Logs	28	24	200
Proxy Logs	18	15	187
AWS CloudTrail	12	10	200
Palo Alto Traffic	1	1	12
Legacy Firewall	0	0	—

Never Queried in 90 Days

Legacy App Syslog NetFlow / IPFIX Legacy Firewall (full) DHCP Verbose Print Server Logs Wi-Fi Auth (AAA)

AI Telemetry Classification Engine PRISM ROUTING

Automated routing based on detection value, investigation usage, compliance, and cost signals

Log Source

Classification

Routing Action

Est. Annual Save

Entra ID

◆ Detection Critical→ SIEM (Full)

—

CrowdStrike EDR

◆ Detection Critical→ SIEM (Full)

—

Azure Activity Logs

◆ Detection Critical→ SIEM (Full)

—

DNS Logs

◈ Investigation Critical→ SIEM + Lake

—

Email Security

◈ Investigation Critical→ SIEM + Lake

—

Proxy / Web Gateway

◈ Investigation Critical→ SIEM + Lake

—

AWS CloudTrail

◇ Compliance Only→ Lake Only

$22k

VPN / Remote Access

◇ Compliance Only→ Lake Only

$10k

Palo Alto Traffic Logs

✕ Low Value→ Filter + Sample

$360k

Legacy Firewall (ASA)

◻ Forensic / Archive→ Cold Archive

$210k

NetFlow / IPFIX

✕ Low Value→ Remove

$360k

Legacy App Syslog

✕ Low Value→ Remove

$180k

DHCP Verbose

✕ Low Value→ Filter (errors only)

$45k

Print / Wi-Fi Auth

✕ Low Value→ Remove

$38k

MITRE ATT&CK Coverage Map FRAMEWORK

Technique ID	Technique Name	Primary Data Sources	Coverage
T1078	Valid Accounts	Entra ID, Azure Activity	● Covered
T1059	Command & Script Interpreter	CrowdStrike	● Covered
T1566	Phishing	Email Security	● Covered
T1071	C2 Communication	DNS, Proxy Logs	● Covered
T1110	Brute Force	Entra ID, VPN	● Covered
T1548	Privilege Escalation	Azure Activity, Entra ID	● Covered
T1530	Cloud Storage Data Access	AWS CloudTrail, Azure Activity	◑ Partial
T1021	Remote Services Abuse	VPN, CrowdStrike	◑ Partial
T1055	Process Injection	CrowdStrike	◑ Partial
T1557	Adversary-in-the-Middle	⚠ No source mapped	○ GAP
T1119	Automated Collection	⚠ No source mapped	○ GAP
T1496	Resource Hijacking	⚠ No source mapped	○ GAP

Coverage Summary & Gap Remediation GAPS

6

Fully Covered

3

Partial Coverage

3

Coverage Gaps

Gap Remediation Recommendations

T1557 — AiTM coverage requires NDR or packet capture. Consider Zeek/Corelight.

Estimated onboarding: $25k/year · High detection ROI

T1119 — Enable M365 DLP audit events or Microsoft Purview.

Already licensed — configuration change only, zero cost

T1496 — Ingest Azure Cost Manager anomaly alerts for resource hijacking detection.

Lightweight feed — minimal ingest impact

Security Events of Interest Inventory CAPABILITY MAP

Foundation for detection rationalisation and data source justification

Security Event

Required Log Sources

MITRE Technique

Coverage

Privileged Login

Entra IDAzure ActivityVPN Logs

T1078, T1110

● Full

Malware Execution

CrowdStrike

T1059, T1055

● Full

Data Exfiltration

Proxy LogsDNSEmail Security

T1041, T1048

● Full

C2 Beaconing

DNSProxy Logs

T1071

● Full

Cloud Resource Abuse

AWS CloudTrailAzure Activity

T1548, T1530

◑ Partial

Phishing / BEC

Email SecurityEntra ID

T1566

● Full

Lateral Movement

CrowdStrikeEntra IDVPN Logs

T1021

◑ Partial

Ransomware Precursors

CrowdStrikeDNS

T1486

● Full

Adversary-in-the-Middle

⚠ No source mapped

T1557

○ GAP

Supply Chain Compromise

CrowdStrike⚠ SCA logs missing

T1195

◑ Partial

Immediate (0–90 days)

$960k

4 actions · zero detection impact

Near-term (90–180 days)

$580k

3 actions · minor tuning required

Strategic (6–12 months)

$260k

Pipeline rearchitecture

Immediate Actions 0–90 DAYS

Remove NetFlow / IPFIX from SIEM ingestion entirely

ACTION: Disable Cribl route to SIEM. Archive 90-day cold copy to S3. Zero detection impact confirmed. No compliance requirement.

$360k

per year

Reduce Palo Alto Traffic Logs by 60% via Cribl sampling

ACTION: Keep deny/alert events only. Drop allow-flow verbose. Tune detection rules to work on summary events.

$360k

per year

Remove Legacy App Syslog from SIEM — archive to cold storage

ACTION: No detections, no investigations, no compliance mapping. Move to S3 Glacier with 7-year retention.

$180k

per year

Remove duplicate Syslog fields and normalise at source via Cribl

ACTION: Strip repeated hostname/timestamp duplication. Estimated 15–20% volume reduction across 6 sources.

$60k

per year

Near-Term Actions 90–180 DAYS

Archive Legacy Cisco ASA Firewall — device decommission in Q3

ACTION: Align with network team on Q3 decom timeline. Pre-archive 12 months of cold logs. Remove SIEM ingestion upon decom.

$240k

per year

Route AWS CloudTrail to Data Lake only — remove SIEM ingestion

ACTION: Federated search via Splunk/S3 sufficient for investigation. Reduces SIEM licensing cost directly.

$28k

per year

Filter DHCP verbose to error/rogue events only via Cribl

ACTION: Full DHCP lease logs provide no detection value. Filter to rogue DHCP and exhaustion events only.

$45k

per year

Strategic Pipeline Rearchitecture 6–12 MONTHS

Implement PRISM routing intelligence: SIEM → Lake → Archive tiering

ACTION: Deploy Cribl Stream pipeline with automated value scoring. Estimated 35% ongoing ingest reduction.

$160k

per year

Consolidate Proxy + NetFlow into unified network telemetry via Zeek

ACTION: Replace verbose flow data with Zeek-generated structured events. Reduces volume 80% while closing T1557 gap.

$100k

per year

Executive Heat Map — Cost vs Security Value BOARD READY

The one view CISOs show the CFO — where security data spend is creating value and where it is not

↑ HIGH COST

LOW COST ↓

← LOW VALUE

HIGH VALUE →

🔴 Low Utility Eliminate / Sample

Palo Alto Traffic Logs $600k

NetFlow / IPFIX $360k

Legacy Firewall (ASA) $240k

Legacy App Syslog $180k

Total annual spend $1.38M

🟡 Optimise Route to Lake

Proxy / Web Gateway $95k

AWS CloudTrail $50k

VPN / Remote Access $22k

Total annual spend $167k

🟣 Monitor Filter / Review

DHCP Verbose $45k

Wi-Fi Auth / AAA $22k

Print Server Logs $16k

Total annual spend $83k

🟢 Protect Maintain & Expand

Entra ID (Azure AD) $80k

CrowdStrike EDR $60k

Azure Activity Logs $35k

DNS Logs $40k

Email Security $30k

Total annual spend $245k

← LOW SECURITY VALUE HIGH →

Spend by Quadrant

🔴 Low Utility — eliminate$1,380k · 28%

🟡 Optimise — lake routing$167k · 3%

🟣 Monitor — filter/review$83k · 2%

🟢 Protect — high value$245k · 5%

Other / Unclassified$3,125k · 62%

Board-Level Summary

We are spending $1.38M/year on data with no security value

47% of ingested volume — zero detections, zero investigations, zero compliance use

Our highest-value sources cost 5% of total spend

Entra ID + CrowdStrike + DNS + Azure Activity = 83% of all detections

$1.8M in recoverable savings — no increase in risk

Full MITRE critical tactic coverage maintained · Analyst workflow unaffected