This is part of a series of blogs on connectors. You might find what you are looking for also here:
In this blog post:
Azure Sentinel supports collecting telemetry from a wide array of Microsoft sources. Some of them are listed in the Sentinel's connector page and documentation. However, Sentinel can collect logs from most Azure services and other Microsoft products, even when not listed above.
Azure Monitor, and its Log Analytics module, is the underlying log management platform powering Azure Sentinel. As such, any source that sends logs to Azure Monitor or Log Analytics supports inherently Azure Sentinel. Most Azure and Microsoft solutions support sending telemetry to Azure monitor. You can read more about Azure Monitor collection here: "Collect Azure platform logs in Log Analytics workspace in Azure Monitor."
The following provides a guide as to how to connect each resource using the portal to Log Analytics/Azure Sentinel. The actual portal flow may differ from resource to resource.
To log a service to Sentinel, pick the service (1), select "Activity Log" from the menu (2), and then click the "Logs" button (3). Note that on this screen, before pressing "Logs," you can review the information that will be sent to Sentinel.
On the next screen, click "Add," then "Select workspace," and select the Sentinel workspace. In some cases, the service provides diagnostic telemetry but not audit logs. In such cases, use "Diagnostic settings" instead of "Activity Log" and select "Add diagnostic setting." Some sources do not use the method outlined above, and the instructions below would help,
You can read more about the structure of the events received by Azure Monitor here. The telemetry may be stored in the AzureDiagnostics table or in a dedicated table depending on the mode used by the source.
Each event will include several standard fields such as time, Resource Id, and Tenant ID as described here, as well as per resource fields. Several standard fields available in each Log Analytics table and not just Azure resource tables such as TimeGenerated, Type, and billing information are listed here.
Also, you can find a full reference - still under construction - to the Azure Monitor table schema for all sources, not just Azure ones, here. The Azure Monitor GitHub contains queries and workbooks for many Azure services that can provide a starting point for understanding the logs sent by them.
For additional collection capabilities from servers and workstations, read about collecting using the Log Analytics agent.
For more information on using the agent and this sources, refer to Azure Sentinel Agent: Collecting from servers and workstations, on-prem and in the cloud.
The Windows firewall writes logs to files which are collected and sent by the agent when files are rotated. This leads to additional collections latency, which can be controlled by changing the log file size as described here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.