Do I still need the old log analytics agent to ingest CEF-logs and setup a (fortinet) dataconnector to get proper parsed logs into "commonsecuritylogs" as it seems the AMA can't do that yet (for now)
Or can i use logstash (which uses the rest api) to ingest data into a custom log-table and then transform it to "commonsecuritylog" ? The important part is that I want to use the many data connectors available that are already in Sentinel.
Yes, which will be EOL soon. So I don't feel like installing something that is gone or deprecated in 2 years. So the next logical step would be the AMA, which doesn't support CEF (yet). That's why i'm looking at logstash, which technically uses the rest api output and (as i understand it) should be able to transform from custom log tables to commonsecuritylogs tables with the new DCE/DCR feature.
So can I use the data connectors (like fortinet, it was just an example) in that scenario?
It seems to me microsoft is just pushing wayyy too many public preview features at the same time and it's getting really confusing which long-term, reliable solution to go for :)
best response confirmed by
kenvb (Copper Contributor)
That's a fair point, however this is the method Microsoft is supporting today. If you do something different, you have to support it, and you may also have to adapt the Rules, Workbooks or Playbooks to look at the custom table you are ingesting. If you can bring the data into CommonSecurityLog then that's not an issue.
1 best response
Accepted Solutions
best response confirmed by
kenvb (Copper Contributor)
That's a fair point, however this is the method Microsoft is supporting today. If you do something different, you have to support it, and you may also have to adapt the Rules, Workbooks or Playbooks to look at the custom table you are ingesting. If you can bring the data into CommonSecurityLog then that's not an issue.
