Netflow data in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1195481%22%20slang%3D%22en-US%22%3ENetflow%20data%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1195481%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20plans%20to%20add%20the%20ability%20in%20Sentinel%20to%20ingest%20netflow%20logs%20directly%3F%20We're%20looking%20at%20Zscaler%20which%20will%20probably%20do%20this%20and%20then%20connect%20to%20Sentinel%20but%20is%20there%20a%20way%20to%20do%20this%20without%20a%20middleman%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1197097%22%20slang%3D%22en-US%22%3ERe%3A%20Netflow%20data%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1197097%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449184%22%20target%3D%22_blank%22%3E%40endakelly%3C%2FA%3E%26nbsp%3BI%20don't%20work%20for%20MS%20so%20I%20have%20no%20more%20information%20than%20anyone%20else%20but%20I%20have%20not%20seen%20this%20mentioned%20in%20any%20of%20the%20webinars%20I%20have%20attended.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20add%20this%20as%20a%20feature%20request%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20did%20see%20a%20request%20for%20this%20in%20the%20Log%20Analytics%20feature%20request%20site%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F267889-azure-monitor-log-analytics%2Fsuggestions%2F19789957-ingestion-and-analysis-of-netflow-logs%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F267889-azure-monitor-log-analytics%2Fsuggestions%2F19789957-ingestion-and-analysis-of-netflow-logs%3C%2FA%3E%26nbsp%3B%20although%20it%20is%202.5%20years%20old%20and%20there%20are%20no%20comments%20about%20it%20from%20MS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20familiar%20with%20Netflow%20but%20does%20it%20use%20SysLog%20or%20CEF%20in%20which%20case%20you%20would%20just%20add%20one%20of%20those%20data%20connectors%20to%20the%20server%20(or%20use%20an%20existing%20one).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200347%22%20slang%3D%22en-US%22%3ERe%3A%20Netflow%20data%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200347%22%20slang%3D%22en-US%22%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20MS%20docs%20states%20that%20the%20Cisco%20Syslog%20connector%20will%20%22provide%20you%20more%20insights%20into%20your%20organization%E2%80%99s%20Internet%20usage%22%20but%20from%20my%20limited%20knowledge%2C%20Syslog%20ony%20logs%20administrative%20events%20on%20ASA's.%3CBR%20%2F%3E%3CBR%20%2F%3EWe're%20getting%20a%20syslog%20connector%20set%20up%20so%20I%20guess%20I'll%20be%20able%20to%20confirm%20that%20soon.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1954495%22%20slang%3D%22en-US%22%3ERe%3A%20Netflow%20data%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1954495%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449184%22%20target%3D%22_blank%22%3E%40endakelly%3C%2FA%3E%26nbsp%3B%20Any%20luck%20getting%20the%20Netflow%20data%20to%20sentinel%3F%20please%20let%20me%20know.%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1966260%22%20slang%3D%22en-US%22%3ERe%3A%20Netflow%20data%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1966260%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F874126%22%20target%3D%22_blank%22%3E%405unny%3C%2FA%3E%26nbsp%3Bunfortunately%20not.%20It%20took%20a%20bit%20of%20a%20back%20seat%20and%20I've%20not%20looked%20at%20it%20since.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20confirm%20Gary's%20observation%20that%20syslog%20only%20shows%20Cisco%20administrative%20events.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Are there any plans to add the ability in Sentinel to ingest netflow logs directly? We're looking at Zscaler which will probably do this and then connect to Sentinel but is there a way to do this without a middleman solution?

4 Replies

@endakelly I don't work for MS so I have no more information than anyone else but I have not seen this mentioned in any of the webinars I have attended.

 

You can add this as a feature request here: https://feedback.azure.com/forums/920458-azure-sentinel

I did see a request for this in the Log Analytics feature request site: https://feedback.azure.com/forums/267889-azure-monitor-log-analytics/suggestions/19789957-ingestion-...  although it is 2.5 years old and there are no comments about it from MS.

 

I am not familiar with Netflow but does it use SysLog or CEF in which case you would just add one of those data connectors to the server (or use an existing one).

Thanks @Gary Bushey

The MS docs states that the Cisco Syslog connector will "provide you more insights into your organization’s Internet usage" but from my limited knowledge, Syslog ony logs administrative events on ASA's.

We're getting a syslog connector set up so I guess I'll be able to confirm that soon.

@endakelly  Any luck getting the Netflow data to sentinel? please let me know. thanks

@5unny unfortunately not. It took a bit of a back seat and I've not looked at it since.

 

Can confirm Gary's observation that syslog only shows Cisco administrative events.