I've a requirement to read audit/security logs from a 3rd party streaming solution e.g., cribl into MS Sentinel. As far as I know, if we don't use Sentinel data connectors, we cannot leverage the MS built-in analytics rules for that product (like, AWS, Active directory, any SaaS solution etc.). Since here, I'll have to ingest all logs from cribl into my Sentinel workspace, I cannot use individual data connectors for each component. How do I make use of the built-in analytics rules/workbooks in such case? Is there a way like custom parsing/table etc. which can help?
You will have to bring in Cribl yourself (using a Logic App, api, Logstash, or a custom connector...). That data will go into a Table of your choosing e.g. CRIB_CL.
You can create your own Parser (not always needed), Rules and Workbooks for that data. You could also take an existing Rule (if the use case matches) or workbook and alter it to support this new Table.
Most connectors in Sentinel have specific Workbooks/Parsers and Rules