You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/summary-rules-tutorial.md
+3-13Lines changed: 3 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
-
title: Tutorial: Summarize insights from raw data in an Auxiliary table to an Analytics table in Microsoft Sentinel (Preview)
3
-
description: Learn how to aggregate large sets of Microsoft Sentinel data across log tiers with summary rules.
2
+
title: Summarize insights from raw data in an Auxiliary table to an Analytics table in Microsoft Sentinel (Preview)
3
+
description: This article walks you through a sample process for using summary rules with auxiliary logs in Microsoft Sentinel.
4
4
author: batamig
5
5
ms.author: bagol
6
6
ms.topic: how-to #Don't change
@@ -16,15 +16,7 @@ ms.collection: usx-security
16
16
17
17
# Tutorial: Summarize insights from raw data in an Auxiliary table to an Analytics table in Microsoft Sentinel (Preview)
18
18
19
-
Use [summary rules](/azure/azure-monitor/logs/summary-rules) in Microsoft Sentinel to aggregate large sets of data in the background for a smoother security operations experience across all log tiers. Summary data is precompiled in custom log tables and provide fast query performance, including queries run on data derived from [low-cost log tiers](billing.md#auxiliary-logs). Summary rules can help optimize your data for:
20
-
21
-
-**Analysis and reports**, especially over large data sets and time ranges, as required for security and incident analysis, month-over-month or annual business reports, and so on.
22
-
-**Cost savings** on verbose logs, which you can retain for as little or as long as you need in a less expensive log tier, and send as summarized data only to an Analytics table for analysis and reports.
23
-
-**Security and data privacy**, by removing or obfuscating privacy details in summarized shareable data and limiting access to tables with raw data.
24
-
25
-
Access summary rule results via Kusto Query Language (KQL) across detection, investigation, hunting, and reporting activities. Use summary rule results for longer periods in historical investigations, hunting, and compliance activities.
26
-
27
-
Summary rule results are stored in separate tables under the **Analytics** data plan, and charged accordingly. For more information on data plans and storage costs, see [Select a table plan based on usage patterns in a Log Analytics workspace](/azure/azure-monitor/logs/basic-logs-configure)
19
+
This procedure describes a sample process for using summary rules with [auxiliary logs](basic-logs-use-cases.md), using a custom connection created via an ARM template to ingest CEF data from Logstash.
28
20
29
21
> [!IMPORTANT]
30
22
> Summary rules are currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -47,8 +39,6 @@ We recommend that you [experiment with your summary rule query](hunts.md) in the
47
39
48
40
## Use summary rules with auxiliary logs (sample process)
49
41
50
-
This procedure describes a sample process for using summary rules with [auxiliary logs](basic-logs-use-cases.md), using a custom connection created via an ARM template to ingest CEF data from Logstash.
51
-
52
42
1. Set up your custom CEF connector from Logstash:
53
43
54
44
1. Deploy the following ARM template to your Microsoft Sentinel workspace to create a custom table with data collection rules (DCR) and a data collection endpoint (DCE):
Copy file name to clipboardExpand all lines: articles/sentinel/summary-rules.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Aggregate Microsoft Sentinel data with summary rules | Microsoft Sentinel
2
+
title: Aggregate Microsoft Sentinel data with summary rules
3
3
description: Learn how to aggregate large sets of Microsoft Sentinel data across log tiers with summary rules.
4
4
author: batamig
5
5
ms.author: bagol
@@ -56,9 +56,9 @@ To install a summary rule template:
56
56
57
57
1. Select a summary rule template.
58
58
59
-
A detailed panel with information about the summary rule template opens, displaying fields such as description, summary query, and destination table.
59
+
A panel with information about the summary rule template opens, displaying fields such as description, summary query, and destination table.
60
60
61
-
:::image type="content" source="media/summary-rules/summary-rule-template-details.png" alt-text="Screenshot showing the details panel of a summary rule template in Microsoft Sentinel, including fields like description, summary query, and destination table.":::
61
+
:::image type="content" source="media/summary-rules/summary-rule-template-details.png" alt-text="Screenshot showing the details panel of a summary rule template in Microsoft Sentinel, including fields like description, summary query, and destination table.":::
62
62
63
63
1. Select **Install** to install the template.
64
64
@@ -84,7 +84,7 @@ Create a new summary rule to aggregate a specific large set of data into a dynam
84
84
85
85
- In the Azure portal, from the Microsoft Sentinel navigation menu, under **Configuration**, select **Summary rules (Preview)**. For example:
86
86
87
-
:::image type="content" source="media/summary-rules/summary-rules-azure.png" alt-text="Screenshot of the Summary rules page in the Azure portal.":::
87
+
:::image type="content" source="media/summary-rules/summary-rules-azure.png" alt-text="Screenshot of the Summary rules page in the Azure portal.":::
88
88
89
89
1. Select **+ Create** and enter the following details:
90
90
@@ -144,7 +144,7 @@ To delete a rule, select the rule row and then select **Delete** in the toolbar
144
144
145
145
## Sample summary rule scenarios
146
146
147
-
This section reviews common scenarios for creating summary rules in Microsoft Sentinel, and our recommendations for how to configure each rule. For more information and examples, see [Use summary rules with auxiliary logs (sample process)](#use-summary-rules-with-auxiliary-logs-sample-process) and [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md).
147
+
This section reviews common scenarios for creating summary rules in Microsoft Sentinel, and our recommendations for how to configure each rule. For more information and examples, see [Summarize insights from raw data in an Auxiliary table to an Analytics table in Microsoft Sentinel (Preview)](./summary-rules-tutorial.md) and [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md).
148
148
149
149
### Quickly find a malicious IP address in your network traffic
0 commit comments