Transform or customize data at ingestion time in Microsoft Sentinel (preview)

Стаття
03.01.2023

This article describes how to configure ingestion-time data transformation and custom log ingestion for use in Microsoft Sentinel.

Ingestion-time data transformation provides customers with more control over the ingested data. Supplementing the pre-configured, hardcoded workflows that create standardized tables, ingestion time-transformation adds the capability to filter and enrich the output tables, even before running any queries. Custom log ingestion uses the Custom Log API to normalize custom-format logs so they can be ingested into certain standard tables, or alternatively, to create customized output tables with user-defined schemas for ingesting these custom logs.

These two mechanisms are configured using Data Collection Rules (DCRs), either in the Log Analytics portal, or via API or ARM template. This article will help you choose which kind of DCR you need for your particular data connector, and direct you to the instructions for each scenario.

Prerequisites

Before you start configuring DCRs for data transformation:

Learn more about data transformation and DCRs in Azure Monitor and Microsoft Sentinel. For more information, see:
Verify data connector support. Make sure that your data connectors are supported for data transformation.

In our data connector reference article, check the section for your data connector to understand which types of DCRs are supported. Continue in this article to understand how the DCR type you select affects the rest of the ingestion and transformation process.

Determine your requirements

If you are ingesting	Ingestion-time transformation is...	Use this DCR type
Custom data through the Log Ingestion API	Required Included in the DCR that defines the data model	Standard DCR
Built-in data types (Syslog, CommonSecurityLog, WindowsEvent, SecurityEvent) using the Azure Monitor Agent	Optional If desired, added to the DCR that configures how this data is being ingested	Standard DCR
Built-in data types from most other sources	Optional If desired, added to the DCR attached to the Workspace where this data is being ingested	Workspace transformation DCR

Configure your data transformation

Use the following procedures from the Log Analytics and Azure Monitor documentation to configure your data transformation DCRs:

Direct ingestion through the Log Ingestion API:

Walk through a tutorial for ingesting logs using the Azure portal.
Walk through a tutorial for ingesting logs using Azure Resource Manager (ARM) templates and REST API.

Workspace transformations:

Walk through a tutorial for configuring workspace transformation using the Azure portal.
Walk through a tutorial for configuring workspace transformation using Azure Resource Manager (ARM) templates and REST API.-

Migrate to ingestion-time data transformation

If you currently have custom Microsoft Sentinel data connectors, or built-in, API-based data connectors, you may want to migrate to using ingestion-time data transformation.

Use one of the following methods:

Configure a DCR to define, from scratch, the custom ingestion from your data source to a new table. You might use this option if you want to use a new schema that doesn't have the current column suffixes, and doesn't require query-time KQL functions to standardize your data.

After you've verified that your data is properly ingested to the new table, you can delete the legacy table, as well as your legacy, custom data connector.
Continue using the custom table created by your custom data connector. You might use this option if you have a lot of custom security content created for your existing table. In such cases, see Migrate from Data Collector API and custom fields-enabled tables to DCR-based custom logs in the Azure Monitor documentation.

Next steps

For more information about data transformation and DCRs, see:

Додаткові ресурси

Документація

Custom data ingestion and transformation in Microsoft Sentinel

Learn about how Azure Monitor's custom log ingestion and data transformation features can help you get any data into Microsoft Sentinel and shape it the way you want.
Set up a table with the Auxiliary plan for low-cost data ingestion and retention in your Log Analytics workspace (Preview) - Azure Monitor

Create a custom table with the Auxiliary table plan in your Log Analytics workspace for low-cost ingestion and retention of log data.
Find your Microsoft Sentinel data connector

Learn about specific configuration steps for Microsoft Sentinel data connectors.
Aggregate Microsoft Sentinel data with summary rules

Learn how to aggregate large sets of Microsoft Sentinel data across log tiers with summary rules.
Custom logs via AMA connector - Configure data ingestion to Microsoft Sentinel from specific applications

Learn how to configure data ingestion into Microsoft Sentinel from specific or custom applications that produce logs as text files, using the Custom Logs via AMA data connector or manual configuration.
Best practices for data collection in Microsoft Sentinel

Learn about best practices to employ when connecting data sources to Microsoft Sentinel.
Normalization and the Advanced Security Information Model (ASIM)

This article explains how Microsoft Sentinel normalizes data from many different sources using the Advanced Security Information Model (ASIM)
Cisco ASA/FTD via AMA (Preview) connector for Microsoft Sentinel

Learn how to install the connector Cisco ASA/FTD via AMA (Preview) to connect your data source to Microsoft Sentinel.

Навчання

Модуль

Connect data to Microsoft Sentinel using data connectors - Training

Connect data to Microsoft Sentinel using data connectors

Сертифікація

Microsoft Certified: Azure Data Engineer Associate - Certifications

Демонстрація розуміння поширених завдань з проектування даних для реалізації та керування навантаженнями на проектування даних у Microsoft Azure за допомогою низки служб Azure.

Поділитися через