Forum Discussion
Custom Log schema design
I am retrieving sign in and activity audit data from 3 source systems with 3 different scripts, one for each system, and preparing to send them to a custom log in Azure Monitor/Log Analytics/Sentinel...
One other option is to mimic what MS does with the Advanced Security Information Model (ASIM) https://docs.microsoft.com/en-us/azure/sentinel/normalization
Ingest the data as is and write a KQL function that does the normalization which you then use in your queries. Saves having everyone having to memorize the different layouts of data
Ingest the data as is and write a KQL function that does the normalization which you then use in your queries. Saves having everyone having to memorize the different layouts of data