cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using default Analytics rules/workbooks for 3rd party log streaming solution

ermanishdey
Copper Contributor

‎Nov 18 2022 07:01 AM

‎Nov 18 2022 07:01 AM

Using default Analytics rules/workbooks for 3rd party log streaming solution

Hi,

I've a requirement to read audit/security logs from a 3rd party streaming solution e.g., cribl into MS Sentinel. As far as I know, if we don't use Sentinel data connectors, we cannot leverage the MS built-in analytics rules for that product (like, AWS, Active directory, any SaaS solution etc.). Since here, I'll have to ingest all logs from cribl into my Sentinel workspace, I cannot use individual data connectors for each component. How do I make use of the built-in analytics rules/workbooks in such case? Is there a way like custom parsing/table etc. which can help?

 

 

626 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Nov 18 2022 09:19 AM

‎Nov 18 2022 09:19 AM

Re: Using default Analytics rules/workbooks for 3rd party log streaming solution

You will have to bring in Cribl yourself (using a Logic App, api, Logstash, or a custom connector...). That data will go into a Table of your choosing e.g. CRIB_CL.

You can create your own Parser (not always needed), Rules and Workbooks for that data. You could also take an existing Rule (if the use case matches) or workbook and alter it to support this new Table.

Most connectors in Sentinel have specific Workbooks/Parsers and Rules
0 Likes
Reply