Custom Log schema design

Frequent Contributor

I am retrieving sign in and activity audit data from 3 source systems with 3 different scripts, one for each system, and preparing to send them to a custom log in Azure Monitor/Log Analytics/Sentinel.

 

I know that once in Azure Monitor I will be writing queries and having to join or union the 3 datasets, so my questions are;

  • Should I try normalise the fields, and add all three logs into a single Azure Monitor log table?
  • Should I keep them in 3 separate tables and use "join" commands to bring them together?

I remember in Filebeat, it would hold many different log sources in the one index (table), and so wondering if i should do the same here in Azure?

1 Reply
One other option is to mimic what MS does with the Advanced Security Information Model (ASIM) https://docs.microsoft.com/en-us/azure/sentinel/normalization
Ingest the data as is and write a KQL function that does the normalization which you then use in your queries. Saves having everyone having to memorize the different layouts of data