Forum Discussion

FahadAhmed's avatar
FahadAhmed
Brass Contributor
Jul 28, 2023

Best practice to deal with Excessive Logoff and Logon events

Hi, Currently we are facing a situation where there are excessive Logon and Logoff events in Microsoft sentinel in the SecurityEvent table, causing high monthly costs.   Can you please let me know...
data collection
raphaelcustodiosoares's avatar
raphaelcustodiosoares
Iron Contributor
Aug 02, 2023
1) Data is not available for analytic rules or log alerts
https://koosg.medium.com/use-sentinel-basic-and-archive-logs-fae3bb3a6299

2) the events of login and logoff, what connector is used in the sentinel for ingest ?
do you use Azure Monitor Agent ?


FahadAhmed's avatar
FahadAhmed
Brass Contributor
Aug 04, 2023
Logon m log off messages r in SecuirtyEvent table no ingested through MMA agent
  • raphaelcustodiosoares's avatar
    raphaelcustodiosoares
    Iron Contributor
    Aug 04, 2023

    Standard DCRs, currently supported only for AMA-based connectors and workflows using the new Logs ingestion API.
    https://learn.microsoft.com/en-us/azure/sentinel/data-transformation

    The Logs Ingestion API can send data to the following Azure tables. Other tables may be added to this list as support for them is implemented.

    - CommonSecurityLog
    - SecurityEvents
    - Syslog
    - WindowsEvents
    https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview


    Use SecurityEvents table.