Forum Discussion
Feed data location to run against Sentinel's KQL function
Hi,
We have a feed consisting of around 250,000-300,000 entries and will be imported daily. We do not intend to store this data in Sentinel as a table and would like to store it somewhere else (Cosmos, storage, etc.) from where we can grab this data and run it against one of our Sentinel's KQL functions to generate Alerts.
Planning to use Logic Apps/Functions to do the above actions. But would like to know what would be the right solution here so that comparing the feed data against KQL function results would be fast and not of high cost
Thank you !!
- https://learn.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-query?tabs=portal-1
Auxiliary or Basic logs could also be an option? https://azure.microsoft.com/en-gb/pricing/details/monitor/ You'd still have to use a Logic Apps to run Alerts against this.
