cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I create a custom data table and is it necessary in this scenario?

Porter76
Brass Contributor

‎Aug 29 2023 06:13 AM

‎Aug 29 2023 06:13 AM

How do I create a custom data table and is it necessary in this scenario?

Recently came across some documentation to push logs in an AWS S3 bucket to Sentinel using a lambda function via the log analytics API. Looking at the documentation it looks like I would have to setup a custom data table but there's nothing that covers that in the doc. Also not entirely sure where this data will go when pushed from the S3 bucket. How would I do this and is it necessary in this scenario? Link to docs below.

https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/S3-Lambda 

 

I am unable to use the AWS S3 Data Connector from content hub as the logs we're pushing (AWS WAF) are not supported by that connector. 

1,605 Views
0 Likes
8 Replies
Reply
8 Replies
Clive_Watson

‎Aug 29 2023 06:45 AM

‎Aug 29 2023 06:45 AM

Re: How do I create a custom data table and is it necessary in this scenario?

Its the CustomLog value (see link) - its will append _CL to this for you. e.g. if you want the table to be called: test_CL use 'test' as the value.

https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/S3-Lambda#edit-the-script

0 Likes
Reply
Porter76

‎Aug 29 2023 06:57 AM

‎Aug 29 2023 06:57 AM

Re: How do I create a custom data table and is it necessary in this scenario?

Hey Clive,

So when this script is run, it will create the table? I see now in the github doc where it asks for the Workspace info and a custom log name.

I'm just a little confused on where this data goes, where its stored, and if there's anything more I need to do than simply run this script to get these logs into sentinel.
0 Likes
Reply
Clive_Watson

‎Aug 29 2023 07:33 AM

‎Aug 29 2023 07:33 AM

Re: How do I create a custom data table and is it necessary in this scenario?

Correct run the script to create the Table. The data is stored in Log Analytics just like non custom log data (Sentinel will store this for 90days - assuming you have set the workspace to 90days or more).
0 Likes
Reply
Porter76

‎Aug 29 2023 08:18 AM

‎Aug 29 2023 08:18 AM

Re: How do I create a custom data table and is it necessary in this scenario?

Is it possible I can view this data in Log analytics before its stored in the custom data table the script will create?
0 Likes
Reply
Clive_Watson

‎Aug 29 2023 10:08 AM

‎Aug 29 2023 10:08 AM

Re: How do I create a custom data table and is it necessary in this scenario?

@Porter76 

you need to ingest the data into the Custom table to be able to query it.  The custom table is where it's stored in log analytics.  

 

You can check the schema before ingestion. 

https://learn.microsoft.com/en-us/azure/sentinel/data-source-schema-reference

0 Likes
Reply
Porter76

‎Aug 29 2023 10:29 AM

‎Aug 29 2023 10:29 AM

Re: How do I create a custom data table and is it necessary in this scenario?

@Clive_Watson 

 

After running the script, would I see that data table under "Custom Logs"

 

Porter76_0-1693330168877.png

 

0 Likes
Reply
Porter76

‎Aug 29 2023 04:44 PM

‎Aug 29 2023 04:44 PM

Re: How do I create a custom data table and is it necessary in this scenario?

Thanks so much for all of the help.
0 Likes
Reply