Skip to main content
Solved

Which Azure Sentinel tables does Cribl Stream natively support?

  • March 11, 2025
  • 2 replies
  • 31 views
Erin Sweeney
Forum|alt.badge.img

Which Azure Sentinel tables does Cribl Stream natively support? And does it also support sending data to custom tables?

Best answer by Shane Daniels

Cribl Stream supports sending to the following native tables in Azure Sentinel using configured Data Collection Rules:

CommonSecurityLog

SecurityEvents

Syslog

WindowsEvents

Cribl Documentation:

https://docs.cribl.io/stream/usecase-azure-webhook/

You can send data to Azure Sentinel custom tables via the Azure Monitor Logs destination. See documentation link below.

https://docs.cribl.io/stream/destinations-azure-monitor-logs/

    2 replies

    S
    • Shane Daniels
    • Employee
    • Answer
    • March 11, 2025

    Cribl Stream supports sending to the following native tables in Azure Sentinel using configured Data Collection Rules:

    CommonSecurityLog

    SecurityEvents

    Syslog

    WindowsEvents

    Cribl Documentation:

    https://docs.cribl.io/stream/usecase-azure-webhook/

    You can send data to Azure Sentinel custom tables via the Azure Monitor Logs destination. See documentation link below.

    https://docs.cribl.io/stream/destinations-azure-monitor-logs/

    N
    • nthusiast
    • Participating Frequently
    • March 11, 2025

    So far from my experience in dealing with sending logs to Sentinel tables takes some format changing. It works somewhat well natively if the data is coming to Cribl already in CEF format. Otherwise you will need to manually map those fields to the corresponding fields in the AzS table. Keep in mind that if one field name does not match exactly the whole event is dropped, not partially.

    Terms & ConditionsAccessibility statement