Log filtering on Azure Sentinel

pavan kemisetti 1

how to optimize the logs that are being ingested to Azure Sentinel ? Either on prem logs or cloud logs . Can we do any filtering before the log sits in log analytics work space ? if so, how can we add the filtering

bharathn-msft 5,096 Reputation points Microsoft Employee

2020-12-10T08:17:38.4+00:00

@pavan kemisetti Welcome to Microsoft Q&A platform and thank you for your query.

Please give some time for Community SME's on the topic or our team review your scenario and get back to you at the earliest.
bharathn-msft 5,096 Reputation points Microsoft Employee

2020-12-19T03:48:49.113+00:00

@pavan kemisetti Apologies for delay in getting back to this thread.

Post some research on our ask, was able to find this information. Currently there are various ways to filter “at-ingestion” but it depends on the source (OS, on-prem vs. Cloud, specific clouds (AWS/GCP/…) , for a more focused review of the various connectors, filtering and relevant information regarding log collection please refer here.

Please review the information and circle back if you have any further queries. Thank you
bharathn-msft 5,096 Reputation points Microsoft Employee

2020-12-19T03:51:49.343+00:00

@pavan kemisetti Additionally if you want to get a broader perspective on Logs collection in Sentinel. Would request you to please go through this training module. Thank you.
pavan kemisetti 1 Reputation point

2020-12-20T04:33:59.117+00:00

@bharathn-msft

I have gone through this articles. My question is how do we control the log ingestion into sentinel. For example we have filtering available for windows events,. Lets say that i eanted to filter few events code frrrom the azure firewall events even before they land in to log analytics workspace. How can we acheive it?Aws events how can i filter them ?
bharathn-msft 5,096 Reputation points Microsoft Employee

2021-01-06T18:05:11.93+00:00

@pavan kemisetti - Checking to see if you had a chance to review the above information shared and have any further queries. Thank you.
pavan kemisetti 1 Reputation point

2021-01-08T09:20:52.527+00:00

Thanks Bharat. I guess we need to check on the suggested solution and revert for any queries

1 answer

bharathn-msft 5,096 Reputation points Microsoft Employee

2020-12-23T03:29:15.263+00:00
<< Sharing information here from comments for broader community usage >>

@pavan kemisetti - Thank you for circling back.

Below are possible ways to filter logs at ingestion

Please refer to the new Azure Monitor Agent , in Preview which has DCR (Data Collection Rules).

Also, other option would be to use Logstash, which has filtering capabilities. However applicable to non-production workloads at this current stage.

Please be aware that, at this preview stage DCR will require some manual work as the UI still doesn't show the rules, it requires usage of REST API to inject the configuration for filtering.

Hope this information helps, please feel free to revert back if you have any further queries. Thank you.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Log filtering on Azure Sentinel

1 answer

Your answer