Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

event hub and azure sentinel

Copper Contributor

Hi,

I landed up in the situation where I need to set up azure sentinel for my organization. I have to collect logs from all the resources and push it into azure sentinel.

here is the hurdles

there are tons of data and if I push all of it in azure sentinel it will cost me huge amount. that is why I have to make some queries so that I can take limit amount of data(based on queries) which I can use in azure sentinel.

I have gone through multiple article but unable to find which is best in this situation.

what I am thinking, all data push to event hub then through event hub it will push to azure data explorer here i will create queries to take limited amount of data then that data I will push to azure sentinel, kindle let me know if something needs to improve or if you have better solution.

Thanks

 

2 Replies

Hello @Gyaneshwar28,

 

Look at Custom data ingestion and transformation in Microsoft Sentinel (preview) | Microsoft Docs.

It is still in preview mode, but I am sure it can help you to filter the incoming logs. 

Event Hub and ADX have costs (and need manging). Doing EH --> ADX --> <process data> --> Sentinel, will introduce latency as well, which you need to factor in if you want anything approaching real-time alerts.

The link above and carefully selecting data based on Use Cases would be my approach (i.e. only enable a data source if you are protecting a Threat it contains). Dropping too much data at the beginning of a installation could mean you never brig in something critical.