We are excited to share some of the great work the Microsoft Sentinel experts in our Security Operations Center have been up to. This time, we’re sharing a Logstash plugin modification to simplify the process of filtering and ingesting Logstash events into Microsoft Sentinel.
Our fellow SOC operators know it is time-consuming and costly to process alerts without filtering; at Sentinel Blue, we’ve had success using Winlogbeat to extract logs from endpoints and move them over to Logstash for data filtering, resulting in a substantial reduction in data being ingested. Once the data has been reduced and processed, it is ready to send to Microsoft Sentinel.
This output plugin modification we’re sharing reduces the complexity of that send from Logstash to Sentinel, giving our SOC (and yours) more efficiency, more performance, and fewer complexities.
You can check it out on our GitHub here: https://github.com/sentinelblue/sentinelblue-logstash-output-azure-loganalytics