How to get CEF-based logs into sentinel (LA, AMA or Logstash) AND use the data connectors.

%3CLINGO-SUB%20id%3D%22lingo-sub-3296299%22%20slang%3D%22en-US%22%3EHow%20to%20get%20CEF-based%20logs%20into%26nbsp%3Bsentinel%20(LA%2C%20AMA%20or%20Logstash)%20AND%20use%20the%20data%20connectors.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3296299%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20I%20still%20need%20the%20old%20log%20analytics%20agent%20to%20ingest%20CEF-logs%20and%20setup%20a%20(fortinet)%20dataconnector%20to%20get%20proper%20parsed%20logs%20into%20%22commonsecuritylogs%22%26nbsp%3B%20as%20it%20seems%20the%20AMA%20can't%20do%20that%20yet%20(for%20now)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20can%20i%20use%20logstash%20(which%20uses%20the%20rest%20api)%20to%20ingest%20data%20into%20a%20custom%20log-table%20and%20then%20transform%20it%20to%20%22commonsecuritylog%22%20%3F%20The%20important%20part%20is%20that%20I%20want%20to%20use%20the%20many%20data%20connectors%20available%20that%20are%20already%20in%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-logstash%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-logstash%3C%2FA%3E%26nbsp%3Bhere%20it%20says%20it%20uses%20the%20rest%20api%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fcustom-logs-overview%23tables%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fcustom-logs-overview%23tables%3C%2FA%3E%26nbsp%3Bhere%20it%20says%20it%20uses%20the%20%22custom%20logs%20api%22%20to%20ingest%20logs%20which%20can%20be%20transformed%20to%20one%20of%20the%20supported%20built-in%20tables.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3296299%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Collection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKQL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Data%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPlaybooks%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3297478%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20get%20CEF-based%20logs%20into%26nbsp%3Bsentinel%20(LA%2C%20AMA%20or%20Logstash)%20AND%20use%20the%20data%20connectors.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3297478%22%20slang%3D%22en-US%22%3EThat's%20a%20fair%20point%2C%20however%20this%20is%20the%20method%20Microsoft%20is%20supporting%20today.%3CBR%20%2F%3EIf%20you%20do%20something%20different%2C%20you%20have%20to%20support%20it%2C%20and%20you%20may%20also%20have%20to%20adapt%20the%20Rules%2C%20Workbooks%20or%20Playbooks%20to%20look%20at%20the%20custom%20table%20you%20are%20ingesting.%20If%20you%20can%20bring%20the%20data%20into%20CommonSecurityLog%20then%20that's%20not%20an%20issue.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3297333%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20get%20CEF-based%20logs%20into%26nbsp%3Bsentinel%20(LA%2C%20AMA%20or%20Logstash)%20AND%20use%20the%20data%20connectors.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3297333%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20which%20will%20be%20EOL%20soon.%20So%20I%20don't%20feel%20like%20installing%20something%20that%20is%20gone%20or%20deprecated%20in%202%20years.%3CBR%20%2F%3ESo%20the%20next%20logical%20step%20would%20be%20the%20AMA%2C%20which%20doesn't%20support%20CEF%20(yet).%3CBR%20%2F%3EThat's%20why%20i'm%20looking%20at%20logstash%2C%20which%20technically%20uses%20the%20rest%20api%20output%20and%20(as%20i%20understand%20it)%20should%20be%20able%20to%20transform%20from%20custom%20log%20tables%20to%20commonsecuritylogs%20tables%20with%20the%20new%20DCE%2FDCR%20feature.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20can%20I%20use%20the%20data%20connectors%20(like%20fortinet%2C%20it%20was%20just%20an%20example)%20in%20that%20scenario%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20seems%20to%20me%20microsoft%20is%20just%20pushing%20wayyy%20too%20many%20public%20preview%20features%20at%20the%20same%20time%20and%20it's%20getting%20really%20confusing%20which%20long-term%2C%20reliable%20solution%20to%20go%20for%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3296836%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20get%20CEF-based%20logs%20into%26nbsp%3Bsentinel%20(LA%2C%20AMA%20or%20Logstash)%20AND%20use%20the%20data%20connectors.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3296836%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1329117%22%20target%3D%22_blank%22%3E%40kenvb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Fortinet%20Data%20Connector%20uses%20the%20Microsoft%20Monitoring%20Agent%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Clive_Watson_0-1651080044339.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F367380i12A7FB44E014CF93%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Clive_Watson_0-1651080044339.png%22%20alt%3D%22Clive_Watson_0-1651080044339.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Eand%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Clive_Watson_1-1651080092693.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F367381iBB5929F53FEE1795%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Clive_Watson_1-1651080092693.png%22%20alt%3D%22Clive_Watson_1-1651080092693.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Do I still need the old log analytics agent to ingest CEF-logs and setup a (fortinet) dataconnector to get proper parsed logs into "commonsecuritylogs"  as it seems the AMA can't do that yet (for now)

 

Or can i use logstash (which uses the rest api) to ingest data into a custom log-table and then transform it to "commonsecuritylog" ? The important part is that I want to use the many data connectors available that are already in Sentinel.

 

https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash here it says it uses the rest api

https://docs.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-overview#tables here it says it uses the "custom logs api" to ingest logs which can be transformed to one of the supported built-in tables.

3 Replies

@kenvb 

 

The Fortinet Data Connector uses the Microsoft Monitoring Agent 

Clive_Watson_0-1651080044339.png

and

Clive_Watson_1-1651080092693.png

 

Yes, which will be EOL soon. So I don't feel like installing something that is gone or deprecated in 2 years.
So the next logical step would be the AMA, which doesn't support CEF (yet).
That's why i'm looking at logstash, which technically uses the rest api output and (as i understand it) should be able to transform from custom log tables to commonsecuritylogs tables with the new DCE/DCR feature.

So can I use the data connectors (like fortinet, it was just an example) in that scenario?

It seems to me microsoft is just pushing wayyy too many public preview features at the same time and it's getting really confusing which long-term, reliable solution to go for :)

That's a fair point, however this is the method Microsoft is supporting today.
If you do something different, you have to support it, and you may also have to adapt the Rules, Workbooks or Playbooks to look at the custom table you are ingesting. If you can bring the data into CommonSecurityLog then that's not an issue.