Sample Data from Community GitHub to Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2465936%22%20slang%3D%22en-US%22%3ESample%20Data%20from%20Community%20GitHub%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2465936%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EHi%2C%20what%E2%80%99s%20the%20easiest%20way%20to%20ingest%20the%20sample%20csv%2Fjson%20files%20found%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FSample%2520Data%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FSample%2520Data%3C%2FA%3E%26nbsp%3Bto%20my%20Sentinel%20instance%20please%3F%20Mainly%20interested%20in%20the%20CEF%20and%20Custom%20samples.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2466573%22%20slang%3D%22en-US%22%3ERe%3A%20Sample%20Data%20from%20Community%20GitHub%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2466573%22%20slang%3D%22en-US%22%3EEasiest%20way%20would%20be%20to%20use%20the%20PowerShell%20upload%20script%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fcreate-custom-connector%23connect-with-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fcreate-custom-connector%23connect-with-powershell%3C%2FA%3E.%20Obviously%20using%20Import-Csv%20and%20Import-Json%20where%20relevant.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20problem%20for%20CEF%20data%20is%20that%20you%20can%20only%20use%20the%20API%2FPowerShell%20to%20upload%20to%20custom%20tables.%20So%20the%20data%20won't%20show%20up%20in%20the%20CommonSecurityLog%20table.%20The%20only%20way%20I%20know%20to%20get%20those%20logs%20into%20the%20correct%20table%20is%20unfortunately%20complex.%20It%20requires%20setting%20up%20an%20OMS%20agent%20on%20a%20linux%20host%2C%20and%20configuring%20rsyslog%20to%20ingest%20those%20files%20and%20forward%20them%20to%20the%20OMS%20agent.%3C%2FLINGO-BODY%3E
New Contributor

Hi, what’s the easiest way to ingest the sample csv/json files found at https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data to my Sentinel instance please? Mainly interested in the CEF and Custom samples.

2 Replies
Easiest way would be to use the PowerShell upload script here - https://docs.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-powershell. Obviously using Import-Csv and Import-Json where relevant.

The problem for CEF data is that you can only use the API/PowerShell to upload to custom tables. So the data won't show up in the CommonSecurityLog table. The only way I know to get those logs into the correct table is unfortunately complex. It requires setting up an OMS agent on a linux host, and configuring rsyslog to ingest those files and forward them to the OMS agent.
Thank you, I will try the PowerShell script! :)

I do have a linux host with the OMS agent but couldn't figure out how to correctly add the files to syslog. I've tried something like logger -f sampledata.json -t CEF but that didn't work :(