Forum Discussion
Azure Sentinel Normalization?
Microsoftajiwanand we have started a private preview for a normalized schema. Join our Private Previews program if you want to review and provide feedback.
That said, normalization is a broad topic. It would be great to learn what value you are looking for from normalization.
~ Ofer
Ofer_Shezaf, I will definitely join the preview program.
As for clarification, like i said most of my background have been in traditional SIEMs so forgive me if im missing a concept or something like that, but the idea is that if you have a large amount of data sources (e.g CEF, Security Events, other syslog, audit events) reporting to the platform. You should be able to utilize a standardized information schema to search and correlate across all these log sources. Usually a list of predefined fields like Username,IP Address, Host, and some more are parsed to the same field names, allowing the user whether it be an analyst or content creator to either search across all log sources or create rules that span multiple log sources.
Some vendors even go so far as to classify a "common event" that is a field that will explain what the event means (and is the same for all log sources). I know we can have field aliases or even parse our own fields quite easily however the management and manual effort required to keep this up to date is a lot.
Hope this makes sense, let me know if i need to clarify further.
- Ajay J
- Ofer_Shezaf
Thanks, makes sense. Exctracting sepcific requirements:
- Microsoft provided parsers to a standard schema
- Easy search across multiple occurences of simlar values in the schema (IP Address, User)
Happy if you join our Private Previews program to give feedback on our normalization project.