Microsoft's Azure Monitor Agent allows events to be directly written to certain Sentinel tables. In a previous blog piece 'Writing data to Sentinel's tables with REST and Data Collection Rules', I described how custom Data Collection Rules are written to allow Log Analytics / Sentinel tables to be written to using REST.
There doesn't seem to be a clear list of what tables do support direct writing. From trial and error, my understanding of those tables are listed below.
Sentinel Tables supporting direct writing
|
Anomalies |
ADAssessmentRecommendation |
|
ASimAuditEventLogs |
ADSecurityAssessmentRecommendation |
|
ASimAuthenticationEventLogs |
AzureAssessmentRecommendation |
|
ASimDhcpEventLogs |
DeviceTvmSecureConfigurationAssessmentKB |
|
ASimDnsActivityLogs |
DeviceTvmSoftwareVulnerabilitiesKB |
|
ASimFileEventLogs |
ExchangeAssessmentRecommendation |
|
ASimNetworkSessionLogs |
ExchangeOnlineAssessmentRecommendation |
|
ASimProcessEventLogs |
SCCMAssessmentRecommendation |
|
ASimRegistryEventLogs |
SCOMAssessmentRecommendation |
|
ASimUserManagementActivityLogs |
SfBAssessmentRecommendation |
|
ASimWebSessionLogs |
SfBOnlineAssessmentRecommendation |
|
AWSCloudTrail |
SharePointOnlineAssessmentRecommendation |
|
AWSCloudWatch |
SPAssessmentRecommendation |
|
AWSGuardDuty |
SQLAssessmentRecommendation |
|
AWSVPCFlow |
UCClientUpdateStatus |
|
CommonSecurityLog |
UCDOStatus |
|
GCPAuditLogs |
UCServiceUpdateStatus |
|
GoogleCloudSCC |
WindowsClientAssessmentRecommendation |
|
SecurityEvent |
WindowsServerAssessmentRecommendation |
|
Syslog |
|
|
WindowsEvent |
What is really interesting is the significance of large volume log sources and ASIM tables all being open for writing.
This provides the opportunity to use automation with external big data collectors (like Azure Data Explorer) in feeding events of significance to Sentinel.
- Log in to post comments