Forum Discussion
event hub and azure sentinel
Hi,
I landed up in the situation where I need to set up azure sentinel for my organization. I have to collect logs from all the resources and push it into azure sentinel.
here is the hurdles
there are tons of data and if I push all of it in azure sentinel it will cost me huge amount. that is why I have to make some queries so that I can take limit amount of data(based on queries) which I can use in azure sentinel.
I have gone through multiple article but unable to find which is best in this situation.
what I am thinking, all data push to event hub then through event hub it will push to azure data explorer here i will create queries to take limited amount of data then that data I will push to azure sentinel, kindle let me know if something needs to improve or if you have better solution.
Thanks
3 Replies
Hey Gyaneshwar,
We are currently in the same situation where I need to have my logs ingested to Sentinel from multiple regions without bringing my resources from onprem to azure, or arc.
Please let me know how did you used event hubs and data explorer to ingest logs from onprem resources to azure sentinel WS. Thanks.Hello Gyaneshwar28,
Look at Custom data ingestion and transformation in Microsoft Sentinel (preview) | Microsoft Docs.
It is still in preview mode, but I am sure it can help you to filter the incoming logs.
- Event Hub and ADX have costs (and need manging). Doing EH --> ADX --> <process data> --> Sentinel, will introduce latency as well, which you need to factor in if you want anything approaching real-time alerts.
The link above and carefully selecting data based on Use Cases would be my approach (i.e. only enable a data source if you are protecting a Threat it contains). Dropping too much data at the beginning of a installation could mean you never brig in something critical.
