Using Azure Sentinel with Logstash

Рет қаралды 5,344

Күн бұрын

Aside from the Azure Sentinel connectors, you could also use Logstash to ingest data in your SIEM. In this video tutorial I'll explain and demonstrate how Azure Sentinel and Logstash work together.
▼ Installing Logstash on Ubuntu 18.04
devconnected.c...
▼ Log Analytics / Sentinel plugin for Logstash
github.com/Azu...
▼ Social Jeroen Niesen
Twitter: / jeroenniesen
▼ Social AzureVlog
Twitter: / azurevlog

Пікірлер: 16

@Yogesh-n8t 11 ай бұрын

can we ingest the data in cef table or syslog table ?

@pasion11984 Жыл бұрын

i'm going to test it today. Thanks.

@AzureVlog Жыл бұрын

Thank you! Did you succeed with your test?

@pasion11984 Жыл бұрын

@@AzureVlog yes :)

@Ruchikun 2 жыл бұрын

Hi Jeroen, top filmpje al. Voor mij hoeft de muziek echter niet hoor ;) ik vind het heel hard afleiden op momenten dat je spreekt. Mag gerust weg of een dB lager.

@powertechlearning Жыл бұрын

Hello Sir, This was a great and simple video to understand how to forward logs to Microsoft Sentinel using Microsoft Logstash Output Azure Log Analytics (legacy) plugin method. but, now Microsoft Sentinel has added a new output plugin "microsoft-sentinel-logstash-output-plugin" which seems to be not working. Can you please create the same video using the new output plugin and forward the logs to Sentinel via DCR-based API would be grateful and helpful as my project is pending because this Plugin not working Thank you in advance Cheers with Coffee☺

@spop1974 Жыл бұрын

Nice job! Now that we have logs in Sentinel instance, how are analytics rules applied? Built-ins are applied or we have to create our own? Search through the logs is fine, but having alerts/incidents is better :)

@AzureVlog Жыл бұрын

In most cases you have to create the rules yourself. There is however an option to normalise your data. If your data is normalised, some analytic rules can be applied. Read more about it here: learn.microsoft.com/en-us/azure/sentinel/normalization

@amaurisrodriguez9914 3 жыл бұрын

Great resources...keep it up!

@kns6132 Жыл бұрын

great content. Thank you.

@shyamaprasadbahinipati6375 2 жыл бұрын

Amazing

@HassanBanna 3 жыл бұрын

I don't see any table name under the custom logs which I used in the logstash output pluggin

@AzureVlog 3 жыл бұрын

Hi Hassan, it could be that you were a little bit to fast. It takes some time (ingestion time) to get the results in Azure Sentinel visible. Is the table still not visible? If so; is Log Stash producing any errors?

@HassanBanna 3 жыл бұрын

@@AzureVlog yeah I got it , the problem was different in my case .I was reading a csv in the input pluggin and had used backward slash (\)in the "path". When I changed to forward (/) logstash was able to read it correctly and processed it successfully.