In the realm of cybersecurity and observability, enterprises often face a challenge of balancing extensive data logging for security purposes with the high costs associated with storing and managing such data. This issue is particularly prominent with PowerShell logging, where comprehensive script block logging is vital for threat detection but can lead to overwhelming data volumes and expenses. A modern solution involves using the Elastic Stack and the Elasticsearch Query Language (ES|QL) LOOKUP JOIN command to implement a data deduplication strategy. This approach involves hashing script data, storing it once, and using lightweight references for each execution, drastically reducing storage needs while maintaining full analytic capabilities. The new strategy shifts from traditional data ingestion models to a more cost-efficient "enrich at query time" paradigm, allowing analysts to access complete context on demand without compromising on security visibility. This innovative method not only addresses data storage challenges but also enhances the efficiency of forensic investigations by seamlessly integrating with existing security frameworks and detection rules.