Skip to content

Commit 68d3391

Browse files
guywi-msguywi-ms
committed
Update summary-rules-tutorial.md
1 parent 49d8e81 commit 68d3391

File tree

1 file changed

+1
-4
lines changed

1 file changed

+1
-4
lines changed

articles/sentinel/summary-rules-tutorial.md

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ ms.collection: usx-security
1616

1717
# Tutorial: Summarize insights from raw data in an Auxiliary table to an Analytics table in Microsoft Sentinel (Preview)
1818

19-
This procedure describes a sample process for using summary rules with [auxiliary logs](basic-logs-use-cases.md), using a custom connection created via an ARM template to ingest CEF data from Logstash.
19+
This article provides an example of how to use summary rules to aggregate insights from an [auxiliary logs table](basic-logs-use-cases.md) to an Analytics table. In this example, you ingest CEF data from Logstash by deploying a custom connector using an ARM template.
2020

2121
> [!IMPORTANT]
2222
> Summary rules are currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -34,9 +34,6 @@ To create summary rules in Microsoft Sentinel:
3434

3535
- To create summary rules in the Microsoft Defender portal, you must first onboard your workspace to the Defender portal. For more information, see [Connect Microsoft Sentinel to the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-sentinel-onboard).
3636

37-
We recommend that you [experiment with your summary rule query](hunts.md) in the **Logs** page before creating your rule. Verify that the query doesn't reach or near the [query limit](/azure/azure-monitor/logs/summary-rules#restrictions-and-limitations), and check that the query produces the intended schema and expected results. If the query is close to the query limits, consider using a smaller `binSize` to process less data per bin. You can also modify the query to return fewer records or remove fields with higher volume.
38-
39-
4037
## Use summary rules with auxiliary logs (sample process)
4138

4239
1. Set up your custom CEF connector from Logstash:

0 commit comments

Comments
 (0)