Hi,

We are building a custom collector which collects several sources like ETW, Event Logs, TCP Activities etc (yes, yet another filebeat :)) and normalize the output into ASIM format, by the target schemas of the ASIM tables.

But I see that ingesting directly into the ASIM tables are not allowed via Log Analytics API. In one of the Youtube videos, I heard that support will be there (video is from 3 years ago) but still it’s something not supported?

I am a simple minded person. My idea was, if I normalize the data in the same way of ASIM suggest, I can ingest the data into the ASIM tables, so Sentinel can start doing it’s magic out-of-box. But from the documentations, I see that normalized data should go into a custom table or (or maybe a standard table) and from there, via unifying parsers, it should go into the ASIM tables? Is that how it works today? Why adding another parser on top of the normalized data?

Thanks in advance.

​Hi,We are building a custom collector which collects several sources like ETW, Event Logs, TCP Activities etc (yes, yet another filebeat :)) and normalize the output into ASIM format, by the target schemas of the ASIM tables.But I see that ingesting directly into the ASIM tables are not allowed via Log Analytics API. In one of the Youtube videos, I heard that support will be there (video is from 3 years ago) but still it’s something not supported?I am a simple minded person. My idea was, if I normalize the data in the same way of ASIM suggest, I can ingest the data into the ASIM tables, so Sentinel can start doing it’s magic out-of-box. But from the documentations, I see that normalized data should go into a custom table or (or maybe a standard table) and from there, via unifying parsers, it should go into the ASIM tables? Is that how it works today? Why adding another parser on top of the normalized data?Thanks in advance.  Read More

​