Forum Discussion
Best practice to deal with Excessive Logoff and Logon events
Hi,
Currently we are facing a situation where there are excessive Logon and Logoff events in Microsoft sentinel in the SecurityEvent table, causing high monthly costs.
Can you please let me know whats the best practice to deal with them, we dont want to drop them entirely as they may be used in Analytical rules or are required for forensics.
Another option that I saw was to use API tranformation to split the logs and store analytica data in analytical table and forward the other data to basic table. First, if I send the data directly to basic table then it wont be used in Analytical rules (Correct me if I am wrong?). Secondly, I dont know if we can do this through DCR, since I dont know where and how to run that API transformation.
Any help will be appreciated.
Thanks
3 Replies
- 1) Data is not available for analytic rules or log alerts
https://koosg.medium.com/use-sentinel-basic-and-archive-logs-fae3bb3a6299
2) the events of login and logoff, what connector is used in the sentinel for ingest ?
do you use Azure Monitor Agent ?- Logon m log off messages r in SecuirtyEvent table no ingested through MMA agent
Standard DCRs, currently supported only for AMA-based connectors and workflows using the new Logs ingestion API.
https://learn.microsoft.com/en-us/azure/sentinel/data-transformation
The Logs Ingestion API can send data to the following Azure tables. Other tables may be added to this list as support for them is implemented.
- CommonSecurityLog
- SecurityEvents
- Syslog
- WindowsEvents
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview
Use SecurityEvents table.
