Duplication of events before ingesting

%3CLINGO-SUB%20id%3D%22lingo-sub-2248831%22%20slang%3D%22en-US%22%3EDuplication%20of%20events%20before%20ingesting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2248831%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%20guys.%3C%2FP%3E%3CP%3EI'm%20working%20on%20pointing%20the%20fw%20ASA%20logs%20to%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20realized%20that%20many%20logs%20are%20being%20sent%20with%20the%20same%20payload%20and%20time%20in%201%20minute%2C%20reaching%20the%20point%20of%20some%20types%20of%20logs%20being%20sent%20more%20than%2030%20identical%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20is%20there%20any%20Sentinel%20mechanism%20for%20summarizing%20events%20and%20before%20ingesting%20and%20not%20inputting%20duplicate%20events%3F%20I%20know%20QRadar%20does%20that.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EEX%3A%20If%20the%20client%20receives%20a%20DDoS%20attack%20on%20a%20device%2C%20will%20Sentinel%20summarize%20several%20logs%20and%20ingest%20only%20a%20few%20or%20will%20it%20ingest%20all%20of%20the%20logs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Good morning guys.

I'm working on pointing the fw ASA logs to Sentinel.

 

I realized that many logs are being sent with the same payload and time in 1 minute, reaching the point of some types of logs being sent more than 30 identical events.

 

My question is, is there any Sentinel mechanism for summarizing events and before ingesting and not inputting duplicate events? I know QRadar does that.

 

If you have any answers, you are welcome. @
EX: If the client receives a DDoS attack on a device, will Sentinel summarize several logs and ingest only a few or will it ingest all of the logs?

 

If you have any answers, you are welcome. :)  @Gary Bushey  @Thijs Lecomte @CliveWatson 

1 Reply
HI

By default, Azure Sentinel does not support filtering pre ingestion. You could look into setting up something such as Logstash to filter the logs before they reach Azure Sentinel.

https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash