Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

CEF Proxy for Sentinel and Apparent Log Source

Copper Contributor

Hello colleagues,

 

I have a question regarding the common scenario, where we need to install a linux VM (on-prem/ on cloud) to act as a  proxy to send logs from Fortinet and other CEF log sources like Cisco etc.

 

If I use the same VM as a proxy for multiple log sources (like Fortinet, Cisco etc), would Sentinel be able to differentiate between the log sources? 

 

Would you rather recommend using one VM-proxy per log source, like one for Cisco, another one for Fortinet to keep it easy for Sentinel?

 

1.jpg

1 Reply

@SalmanKhan The DeviceVendor and DeviceProduct fields in the CommonSecurityLog should tell you where the data came from