Forum Discussion
Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?
Hi there, We have a requirement where a customer has Palo Alto firewall which is integrated to Sentinel. The maximum ingestion is coming from "drop" and "end" events/logs. The client want to send th...
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/monitor-azure-data-explorer and then use
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-ingestion-time-transformations to drop the data you dont want into Log Analytics (and Sentinel)
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-ingestion-time-transformations to drop the data you dont want into Log Analytics (and Sentinel)
- Hi Clive, I looked at the "Add ingestion-time transformation to Azure Monitor Logs using the Azure portal (preview)" solution. It allows to drop the irrelevant logs prior ingestion. However in my scenario we dont want to remove the logs , rather we want to ingestion partial logs and remaining ones to be redirected directly to Azure Data explorer for long term storage. Any idea how we can achieve this?
- As far as I know, you'd have to drop the unnecessary column using transformation into Log Analytics. Then you'd have to drop the others before taking the other stream into ADX. You cant send column A to Log Analytics and Column B to ADX.
Are Basic logs an alternative (if you are happy with the restrictions)? https://docs.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases
Clive_Watson Thanks , it was really helpful, much appreciate your prompt response. I see the solution is currently in preview and I have already requested access to be added in my subscription and now waiting.
Thanks once again for the pointers.
Fahad.
