Threat-led SIEM transformation delivers 85% cost savings for international retailer

Our solution

CyberProof worked closely with the client to design and implement a successful migration from Splunk to Microsoft Sentinel, ensuring the transformation improved visibility while reducing exposure and costs. The engagement began with hands-on workshops and ongoing consultancy that guided the client’s team through every stage of the migration.

Key elements included:

• Cloud-native architecture: Deployment of a cost-optimized SIEM design using Microsoft Sentinel, with a custom forwarding solution to ensure efficient data flow.
• Smart data management: An intelligent ingestion layer leveraging Cribl and Sentinel prioritized meaningful security telemetry for the SIEM, while archiving other data in a data lake for compliance and forensic purposes.
• Detection engineering at scale: Translation of 264 detection rules from Splunk SPL to Sentinel KQL, alongside real-time attack scenario queries aligned to adversary TTPs.
• Training and knowledge transfer: In-depth coaching and daily collaboration empowered the client’s internal team to independently maintain and optimize the system after the migration.
• Preserving compliance and IP: CyberProof enabled the client to re-implement critical compliance reports (e.g., PCI DSS, SOX) within Sentinel, protecting decades of investment in reporting and intellectual property.

Business Impact

The transformation delivered an 85% reduction in SIEM data costs while maintaining visibility into critical risks. Noise was reduced through smarter ingestion, which sharpened detection accuracy and reduced blind spots. By combining cost efficiency with a threat-led approach to detection engineering, the client strengthened compliance readiness, reduced exposure windows, and gained the autonomy to sustain a resilient, cloud-native SOC well into the future.

Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.