Forum Discussion
Azure Sentinel Normalization?
Microsoftajiwanand we have started a private preview for a normalized schema. Join our Private Previews program if you want to review and provide feedback.
That said, normalization is a broad topic. It would be great to learn what value you are looking for from normalization.
~ Ofer
I will definitely sign up for the preview!
As for clarification, like I said above my experience lies mostly with traditional SIEM technologies where we have a large amount of log sources reporting into a platform. These log sources are then mapped to a common information schema/format where we can search one field (e.g username) and that field is translated to all the username fields of each log sources, effectively giving the analyst the ability to query across multiple log sources using a common information schema.
I do know that there is the possibility of aliases or even parsing into new fields is quite easy with sentinel, however the manual work and maintenance required to keep this up to date makes it really tough to achieve.
So essentially, we are looking for a common information schema which allows users to query across multiple log sources easily. I should also add, my perspective on this is also from a service provider(MSSP) and while we may be able to build out the aliases or fields required for one customer, if we are trying to use sentinel for multiple customers you can probably see the amount of effort required to get this standardized set of fields on all customers. Not to mention the other main issue which is the training we need to give all analysts if we dont have a standardized set of fields.
Hope this makes sense, and let me know if im missing a concept of sentinel or a feature 🙂