Which Azure Sentinel tables does Cribl Stream natively support?

Erin Sweeney

Which Azure Sentinel tables does Cribl Stream natively support? And does it also support sending data to custom tables?

Shane Daniels

Cribl Stream supports sending to the following native tables in Azure Sentinel using configured Data Collection Rules:

CommonSecurityLog

SecurityEvents

Syslog

WindowsEvents

Cribl Documentation:

https://docs.cribl.io/stream/usecase-azure-webhook/

You can send data to Azure Sentinel custom tables via the Azure Monitor Logs destination. See documentation link below.

https://docs.cribl.io/stream/destinations-azure-monitor-logs/

Shane Daniels

Cribl Stream supports sending to the following native tables in Azure Sentinel using configured Data Collection Rules:

CommonSecurityLog

SecurityEvents

Syslog

WindowsEvents

Cribl Documentation:

https://docs.cribl.io/stream/usecase-azure-webhook/

You can send data to Azure Sentinel custom tables via the Azure Monitor Logs destination. See documentation link below.

https://docs.cribl.io/stream/destinations-azure-monitor-logs/

nthusiast

So far from my experience in dealing with sending logs to Sentinel tables takes some format changing. It works somewhat well natively if the data is coming to Cribl already in CEF format. Otherwise you will need to manually map those fields to the corresponding fields in the AzS table. Keep in mind that if one field name does not match exactly the whole event is dropped, not partially.