Forum Discussion
event hub and azure sentinel
Hi, I landed up in the situation where I need to set up azure sentinel for my organization. I have to collect logs from all the resources and push it into azure sentinel. here is the hurdles there...
Hello Gyaneshwar28,
Look at Custom data ingestion and transformation in Microsoft Sentinel (preview) | Microsoft Docs.
It is still in preview mode, but I am sure it can help you to filter the incoming logs.
Event Hub and ADX have costs (and need manging). Doing EH --> ADX --> <process data> --> Sentinel, will introduce latency as well, which you need to factor in if you want anything approaching real-time alerts.
The link above and carefully selecting data based on Use Cases would be my approach (i.e. only enable a data source if you are protecting a Threat it contains). Dropping too much data at the beginning of a installation could mean you never brig in something critical.
The link above and carefully selecting data based on Use Cases would be my approach (i.e. only enable a data source if you are protecting a Threat it contains). Dropping too much data at the beginning of a installation could mean you never brig in something critical.