This project demonstrates the usability of an Azure Function App for reliable, continuous scanning for near real-time forwarding of data (using KQL queries) to Log Analytics / Sentinel. This example solution may be also used for KQL forwarding of events to nominated Event Hubs.
This project focusses on selective data forwarding of events from large scale ADX data collection to Microsoft Sentinel, the concept can be used for almost endless monitoring scenarios.
- Slash Microsoft Sentinel cost by pre-filtering noisy events from Analytics logs
- Enable near real-time Microsoft Sentinel alerting on all events including performance metrics
- True, universal Data Lake centralisation of Enterprise data on Kusto with dedicated Log Analytics workspaces for different teams. There is no reason why you couldn't repurpose Sentinel workspaces as case management systems for Technology support or Network teams!
- Use KQL for forwarding events to Event Hubs for triggering SOAR and automation activities
From a Security perspective, real-time alerting against Petabyte data sets is a critical business requirement. Azure's Function Apps are extremely flexible and perfect for integration with Kusto. This example project shows how this is achieved.
The source code for this project can be found: https://github.com/LaurieRhodes/ADX-to-LogAnalytics-Scanner
- Log in to post comments