Forum Discussion
Solved
CommonSecurityLog and DCR Table Tranformation
Hi all,
I'm trying to filter incoming event coming from a firewall (Fortigate) into the CommonSecurityLog Table using DCR Transformation.
The idea is
FW-->AMA Agent--->DCR Transormation (filter messsage)--->CommonSecurityLog
On the CommuonSecurityLog Table, I click on 'Edit Transformation' and apple the following filter in the Transformation Editor
source
| where DestinationPort != 53 and DestinationPort != 123
| where DeviceAction != "deny"
Unfortunately, these kind of logs still appears into the CommonSecurityLog when performing KQL queries...
Am I missing something ?
Any idea ?
Regards,
HA
Hello HA13029,
Try the 4th step from here: (2) Filter & Split Firewall/CEF logs into multiple Sentinel tables (analytics/basic tier) to save in ingestion costs | LinkedIn
You can transform the logs in the DCR. Just edit it and add the KQL you mentioned in your question.
It should work well.
Hello HA13029,
Try the 4th step from here: (2) Filter & Split Firewall/CEF logs into multiple Sentinel tables (analytics/basic tier) to save in ingestion costs | LinkedIn
You can transform the logs in the DCR. Just edit it and add the KQL you mentioned in your question.
It should work well.
- Hi all,
First, thanks a lot for your help !
Filtering is working fine now !
Thanks again
HA
HA13029 hello,
not sure of your current exact setup, however have you checked the steps described in this documentation?
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
