Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Tools/Transformations-Library
История
juju4 d946fe80cd docs: remove transformKql source part 2023-08-05 13:22:01 +00:00
..
Filtering docs: remove transformKql source part 2023-08-05 13:22:01 +00:00
Logstash adding logstash and filter scenario (#6899) 2022-12-15 12:29:18 +05:30
Masking Removing list of allowed values for region now 2022-05-20 13:52:24 +02:00
Media
Tagging Removing list of allowed regions 2022-05-20 13:58:08 +02:00
README.md adding logstash and filter scenario (#6899) 2022-12-15 12:29:18 +05:30

README.md

Microsoft Sentinel Transformations Library

This repository contains samples for multiple scenarios that are possible thanks to the new Log Analytics Custom Logs v2 and pipeline transformation features.

Filtering

Ingestion time transformation allows you to drop specific fields from events or even full evets that you don't need to have in the workspace.

  1. Dropping fields
  2. Dropping entire records
  3. Dropping fields just for some vendors or devices
  4. Multiple workspaces for independent entities

Enrichment/Tagging

Adding additional context to an event can greatly help analysts in their scoping and investigation process.

  1. Enriching an event or a field in the event with additional meaningful information
  2. Translating a value into a customers business related value (Geo, Departments,…)

PII Masking/Obfuscation

Another scenario is obfuscation or masking of PII information. This can be Social Security Numbers, email addresses, phone numbers, etc.

  1. Masking last 4 digits of SSN
  2. Removing email addresses

Logstash

Among other enhancements, the new custom logs API allows you to ingest custom data into some Microsoft tables: SecurityEvent, WindowsEvent, CommonSecurityLog and Syslog. We have also updated the Microsoft Sentinel Logastash plugin to work with the new API.

  1. Perform log aggregation with Logastsh and then ingest into Syslog table