Awesome video series as always. On the DCR Rules, is there a way to approximate the size of the logs that will be ingested vs the old MMA methos (grabs everything) when selecting Common Events vs All Events. Also, is selecting just Common Events good enough from a security monitoring point of view, or are some other logs covered via the All Events (ingesting everything) that the Common Events wouldn't cover. If that is the case, are we able to select the common Events option, but also include some other type of events we want ingested via additional X-Path queries. Just asking as I know if the past we had an issue where logs that we were ingesting suddenly spiked to over $100K a month from previous $10K and really don't want to run in to an issue like that again
There is a dual data ingestion issue with syslog and CEF, we will cover that in a lot more detail. Regarding data ingestion cost you need to make queries to data ingestion cost, I mean you have calculate the size of data ingestion with tables and apply a filter of _isBillable==True.
