![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 18%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA0%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
982 questions
The format of the Syslog message will vary by device vendor. The built-in alert rules and workbooks will parse this data as needed.
For your own hunting a Syslog parser usually begins by filtering out messages from a specific vendor. Then a series or parse() or split() operations are used to break the message down into more useful columns. These queries are typically saved as a user KQL function for easier reuse.
You might try checking the Sentinel GitHub repo for parser examples. There are also several analytic rules that have good Syslog parser examples.
I also recommend looking into the Sentinel ASIM project. This is an effort to improve Sentinel data normalization. Initially the project has produced several functions than can be used in the place of a table to render parsed tables. https://learn.microsoft.com/en-us/azure/sentinel/normalization