Using Azure Sentinel with Logstash
Вставка
- Опубліковано 5 вер 2024
- Aside from the Azure Sentinel connectors, you could also use Logstash to ingest data in your SIEM. In this video tutorial I'll explain and demonstrate how Azure Sentinel and Logstash work together.
▼ Installing Logstash on Ubuntu 18.04
devconnected.c...
▼ Log Analytics / Sentinel plugin for Logstash
github.com/Azu...
▼ Social Jeroen Niesen
Twitter: / jeroenniesen
▼ Social AzureVlog
Twitter: / azurevlog
Great resources...keep it up!
i'm going to test it today. Thanks.
Thank you! Did you succeed with your test?
@@AzureVlog yes :)
great content. Thank you.
can we ingest the data in cef table or syslog table ?
Nice job!
Now that we have logs in Sentinel instance, how are analytics rules applied? Built-ins are applied or we have to create our own? Search through the logs is fine, but having alerts/incidents is better :)
In most cases you have to create the rules yourself. There is however an option to normalise your data. If your data is normalised, some analytic rules can be applied. Read more about it here: learn.microsoft.com/en-us/azure/sentinel/normalization
Great job 👏
Hello Sir,
This was a great and simple video to understand how to forward logs to Microsoft Sentinel using Microsoft Logstash Output Azure Log Analytics (legacy) plugin method.
but, now Microsoft Sentinel has added a new output plugin "microsoft-sentinel-logstash-output-plugin" which seems to be not working.
Can you please create the same video using the new output plugin and forward the logs to Sentinel via DCR-based API would be grateful and helpful as my project is pending because this Plugin not working
Thank you in advance
Cheers with Coffee☺
Amazing
Hi Jeroen, top filmpje al.
Voor mij hoeft de muziek echter niet hoor ;) ik vind het heel hard afleiden op momenten dat je spreekt. Mag gerust weg of een dB lager.
I don't see any table name under the custom logs which I used in the logstash output pluggin
Hi Hassan, it could be that you were a little bit to fast. It takes some time (ingestion time) to get the results in Azure Sentinel visible. Is the table still not visible? If so; is Log Stash producing any errors?
@@AzureVlog yeah I got it , the problem was different in my case .I was reading a csv in the input pluggin and had used backward slash (\)in the "path". When I changed to forward (/) logstash was able to read it correctly and processed it successfully.
Is this a promo for your coffee machine, or what? 2 minutes of irrelevant footage...