Forum Discussion
endakelly
Feb 26, 2020Brass Contributor
Netflow data in Sentinel
Are there any plans to add the ability in Sentinel to ingest netflow logs directly? We're looking at Zscaler which will probably do this and then connect to Sentinel but is there a way to do this wit...
GaryBushey
Feb 26, 2020Bronze Contributor
endakelly I don't work for MS so I have no more information than anyone else but I have not seen this mentioned in any of the webinars I have attended.
You can add this as a feature request here: https://feedback.azure.com/forums/920458-azure-sentinel
I did see a request for this in the Log Analytics feature request site: https://feedback.azure.com/forums/267889-azure-monitor-log-analytics/suggestions/19789957-ingestion-and-analysis-of-netflow-logs although it is 2.5 years old and there are no comments about it from MS.
I am not familiar with Netflow but does it use SysLog or CEF in which case you would just add one of those data connectors to the server (or use an existing one).
- endakellyFeb 28, 2020Brass ContributorThanks GaryBushey
The MS docs states that the Cisco Syslog connector will "provide you more insights into your organization’s Internet usage" but from my limited knowledge, Syslog ony logs administrative events on ASA's.
We're getting a syslog connector set up so I guess I'll be able to confirm that soon.