Azure Sentinel Normalization?

Ofer_Shezaf, I will definitely join the preview program.

As for clarification, like i said most of my background have been in traditional SIEMs so forgive me if im missing a concept or something like that, but the idea is that if you have a large amount of data sources (e.g CEF, Security Events, other syslog, audit events) reporting to the platform. You should be able to utilize a standardized information schema to search and correlate across all these log sources. Usually a list of predefined fields like Username,IP Address, Host, and some more are parsed to the same field names, allowing the user whether it be an analyst or content creator to either search across all log sources or create rules that span multiple log sources.

Some vendors even go so far as to classify a "common event" that is a field that will explain what the event means (and is the same for all log sources). I know we can have field aliases or even parse our own fields quite easily however the management and manual effort required to keep this up to date is a lot.

Hope this makes sense, let me know if i need to clarify further.

- Ajay J