Parsing syslog
1. i am ingesting firewall logs as syslog and trying to parse out the fields accordingly using the split command, i have a problem that the beginig of the logs is not piped and i have made the split in 2 occasions. as you can see in the attached pic the FWD|UDP|p4| fields are nit parsed out. this is the _raw syslog message: Security F180 Block: FWD|UDP|p4|192.168.x,x|67|00:15:5d:0f:c4:01|255.255.255.255|68|bootpc||LAN-2-INTERNET|4017|0.0.0.0|0.0.0.0|0|1| 2. can you show me the same using normal regex i cant see in MSFT doc how to do it the old way 🙂 3. should i do the parsing on search time of the query? doesnt it increase the search time?
Azure Activity Data Connector
Hi All, My organization is currently working to stand up Sentinel and we are implementing our data connectors. However, we are unable to enable the Azure Activity data connector. All policies are written correctly and should be sending to Sentinel, but it is saying not connected. Any recommendations?Disaster Recovery Design for Microsoft Sentinel
I would like to know if there is a recommended design for disaster recovery of Sentinel SIEM like placing another Log Analytic workspace in a paired region. then pointing the DR servers to report to this LAW. If in case I need a live DR then do I have to replicate the log analytic workspace to the other paired region and what is the best method to do this replication? Thanks
Sentinel Billable data
Hello can you please help me understand difference of two queries we received from vendor deployin sentinel. We have logic app running daily this query to see billable data (to monitor if we are reaching cap). Usage | where TimeGenerated > ago(1d) | where IsBillable == true | summarize BillableDataGB = sum(Quantity) / 1000. by bin(TimeGenerated, 31d), Solution | summarize TotalDataGB = sum(BillableDataGB) Also we got the visualisation in chart over mont Usage |where TimeGenerated > ago (30d) |where IsBillable == true | summarize BillableDataGB=sum(Quantity) / 1000. by bin(TimeGenerated, 1d), Solution | render columnchart However often there is big difference, while the first one reports over several days numbers 300-400, when i look at the data in second I see peaks to 700 GB. Example below. On 22June we see peak to 700GB, however the outcome of the first query was always 300-400 GB when reported 23.6. reported previous daily ingestion : 415.907715810097 GB. 22.6 reported previous daily ingestion : 367.10762928873 GB. Does not make sense to me have such big difference. ALSO WHAt Query for monnitoring and analyzing daily ingestion are you using please???
