Can I create DCR on a custom Data table?

Porter76 · ‎Jan 10 2024

Currently have a custom data table setup to ingest our AWS WAF logs. It is ingesting an enormous amount of data and I need a way to reduce this for the sake of cost. Is it possible to accomplish this with a Data Collection Rule? Do I need to configure a Data Collection Endpoint?

Appreciate any insight.

Clive_Watson · ‎Jan 12 2024

You need to be on the Log Ingestion API, have you seen: https://learn.microsoft.com/en-gb/azure/azure-monitor/logs/custom-logs-migrate

MHenshaw · ‎Jan 15 2024

Hi there

If you are using the aws connector to bring in your logs, you can go to the log workspace > tables > $YOURAWSTABLE > 3 little dots and create transformation. here you can drop the logs you dont need and they wont ingested :)

Porter76 · ‎Jan 16 2024

Hi Clive,
The initial connector was setup with an AWS Lambda PS script that created the custom table in Sentinel and then periodically pushes the logs from an S3 to Sentinel.. How can I confirm whether i'm already on the Log Ingestion API?

Clive_Watson · ‎Jan 16 2024

@Porter76

If you go from Sentinel --> Settings --> Workspace settings. Then look at [tables] if they are (classic) then you are NOT on the right API. Select "edit schema" to get more info

Porter76 · ‎Jan 16 2024

@Clive_Watson

Here's what I see when I follow those steps and look up the table I want to trim down. I don't see that it's classic.

Can I create DCR on a custom Data table?

Can I create DCR on a custom Data table?

Re: Can I create DCR on a custom Data table?

Re: Can I create DCR on a custom Data table?

Re: Can I create DCR on a custom Data table?

Re: Can I create DCR on a custom Data table?

Re: Can I create DCR on a custom Data table?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Can I create DCR on a custom Data table?