![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 96%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
983 questions
You can create and save user-functions to parse the table for your various needs. Sort of like a view in SQL. The functions are called and treated like a table. This eliminates the need for secondary processing and the additional data ingestion of a Function App parser. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381
The downside of using logstash is that much of Sentinel's functionality is based on the built-in connectors and tables. Bringing data into a CL requires custom alert rules and workbooks (or modification of the provided templates). Advanced features like threat intelligence and UEBA may also be difficult or impossible to use with CL data. Best to use the built-in options and you are making a lot of unnecessary work for yourself using logstash as a primary collection method.