Event banner
Event details
Hi everyone, this auxiliary logs is really useful for many clients, but I still have some questions:
1. - Can we use the CommonSecurityLog table and transition it to auxiliary logs? Since this is the table used to ingest logs from firewall, network devices and so on on the CEF format (It was said this isn't supported now, will it be?) - This is the main way I see my clients ingestion firewall logs to Sentinel
2.- How does the ingestion work? Can we still use the same AMA agent and just have a different DCR? (Seems like CEF is still not available), can you provide an example on how to ingest the logs then?
3. - How exactly does the summary rules work? Once a day, hourly?, if the same summary rule has equal data on the CustomTable does it overwrite it and only save the latest timestamp?
For the question 1 and 2) - You can ingest CEF (Firewall) logs directly to a new custom table (i.e., CommonSecurityLog_CL) using DCR ingestion-time transformation once transformation becomes supported. The custom table (i.e., CommonSecurityLog_CL) has the Auxiliary Tier plan enabled. Then, you create a Summary Rule, which you can schedule to run every couple of hours or day on the (i.e., CommonSecurityLog_CL), then send the summary logs to another custom table with the Analytic tier plan. Check Summary Rule documentation: https://learn.microsoft.com/en-us/azure/sentinel/summary-rules#create-a-summary-rule