cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?

FahadAhmed
Brass Contributor

‎Jul 12 2022 12:57 PM

‎Jul 12 2022 12:57 PM

Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?

Hi there,

We have a requirement where a customer has Palo Alto firewall which is integrated to Sentinel. The maximum ingestion is coming from "drop" and "end" events/logs. The client want to send these logs directly to Azure Data Explorer rather than sentinel, since sending them to Sentinel will incur excessive cost, also these events add little value interms of security alerting.

 

Whats the best way to filter and directly send these two categories of logs directly to Azure Data Explorer rather than sentinel? Note: We want to sent other events to sentinel but not the two mentioned above.

 

Any help will be appreciated.

 

Thanks

Fahad.

Labels:
1,716 Views
0 Likes
4 Replies
Reply
4 Replies
FahadAhmed

‎Jul 13 2022 11:16 AM - edited ‎Jul 13 2022 11:17 AM

‎Jul 13 2022 11:16 AM - edited ‎Jul 13 2022 11:17 AM

Re: Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?

@Clive_Watson Thanks , it was really helpful, much appreciate your prompt response. I see the solution is currently in preview and I have already requested access to be added in my subscription and now waiting.

 

Thanks once again for the pointers.

 

Fahad.

0 Likes
Reply
FahadAhmed

‎Jul 13 2022 12:05 PM

‎Jul 13 2022 12:05 PM

Re: Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?

Hi Clive, I looked at the "Add ingestion-time transformation to Azure Monitor Logs using the Azure portal (preview)" solution. It allows to drop the irrelevant logs prior ingestion. However in my scenario we dont want to remove the logs , rather we want to ingestion partial logs and remaining ones to be redirected directly to Azure Data explorer for long term storage. Any idea how we can achieve this?
0 Likes
Reply
Clive_Watson

‎Jul 13 2022 03:02 PM

‎Jul 13 2022 03:02 PM

Re: Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?

As far as I know, you'd have to drop the unnecessary column using transformation into Log Analytics. Then you'd have to drop the others before taking the other stream into ADX. You cant send column A to Log Analytics and Column B to ADX.

Are Basic logs an alternative (if you are happy with the restrictions)? https://docs.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases
0 Likes
Reply