Managing logs in a SIEM environment can be challenging, especially when aiming to design a solution that is extensible, highly available, future-proof, and reasonably priced. In this third installment of the ‘Powerful Capabilities of Data Collection Rules’ series, I show how the …

In the last post, we looked at the ‘Direct’ DCR that simplifies API-based data ingestion. Today, we’re looking at the AgentDirectToStore Data Collection Rule type, which gives you more options for where to send your data. The ‘AgentDirectToStore’ DCR lets the Azure …

DCRs are the modern backbone of data ingestion for Azure Sentinel, replacing legacy methods with a scalable, flexible, and consistent approach that uses a common data ingestion pipeline for all data sources. DCRs enable advanced filtering, transformation, and routing of data before it even hits your …

DCRs and their ingestion-time transformations have been around for quite a while. They are commonly used in modern Sentinel deployments, but I’ve utilized several specific configurations that are particularly useful during SIEM onboarding, migration, and troubleshooting scenarios. The primary …

Read the blog post on BlueVoyant’s site: Sentinel Phantom Fields: Understanding and Managing Inaccessible Data. Microsoft has transitioned to a DCR-based log ingestion and manual schema management for tables for some time now. Lots of organizations are adopting this modern approach over the …

The initial release of this article appeared on BlueVoyant’s website. Click on this link to read it there, along with some lovely diagrams: https://www.managedsentinel.com/log-splitting-with-data-collection-rules/ Alternately, you may read it on my blog by scrolling down. In a recent article, …