Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
Migrate-LA-to-ADX.ps1 only migrated 7 Sentinel tables
Hi,
We just ran the script Migrate-LA-to-ADX.ps1 to setup ingestion from Sentinel to ADX. Upon completion of the script it only setup the export for 7 Sentinel tables and created 7 event hubs (all in one namespace) and only created two data connections on the ADX DB. We ran the script to setup export of all the LA tables, so I'm not sure why it only setup the export for 7 tables. If I had to draw any correlation, it's that it seems like the script only setup the export for tables that actually have data. Is this expected behavior? How can I get the script to setup the export of all the LA tables?
Thanks,
Mike
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Hi, just a follow-up to my original post. As we continue testing this script, it seems it does work best with Sentinel/Log Analytics tables that have data and are actively ingesting data. We've been trying to use this script to pre-stage all the Sentinel table exports to ADX as part of our code-based deployment, but at that stage none of the source tables have any data, so it doesn't really seem well suited for this purpose.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
@mtittle52 - Yes you are correct, Script will create EventHub Topics for the tables that are actively ingesting data. Its #bydesign to create Data Export Rules at LA.
If you are creating these tables in ADX for Long term data retention - We have new Sentinel native feature called "Archive Tier"
Thanks for the response @sreedharande. Hi @mtittle52, Thanks for flagging this. Hope Sreedhar comment answers your query. Please let us know if we can close the issue or need any more assistance. Thanks!
Thank you. You may close the issue.
From: v-amolpatil @.> Sent: Thursday, February 2, 2023 1:18 AM To: Azure/Azure-Sentinel @.> Cc: mtittle52 @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Migrate-LA-to-ADX.ps1 only migrated 7 Sentinel tables (Issue #6900)
Thanks for the response @sreedharandehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsreedharande&data=05%7C01%7C%7Ce4842c809eed401ae98508db04ed9e2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638109190827376782%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N%2BYyY4vbPlz%2B%2B5o27Qng2U8m7E9WTbPJs5jK%2BWlJVjg%3D&reserved=0. Hi @mtittle52https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmtittle52&data=05%7C01%7C%7Ce4842c809eed401ae98508db04ed9e2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638109190827376782%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qZGE%2FzfOvv8hw3eXgCiZzh6M5jwVDfq2It5fXNoVuSU%3D&reserved=0, Thanks for flagging this. Hope Sreedhar comment answers your query. Please let us know if we can close the issue or need any more assistance. Thanks!
— Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F6900%23issuecomment-1413258952&data=05%7C01%7C%7Ce4842c809eed401ae98508db04ed9e2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638109190827376782%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VWBobfWAgQDgjPpBLTyl7u5RI0ZrJ3iw4Yb5u5NFmPE%3D&reserved=0, or unsubscribehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAUBTOXEDPF3JIO5SD5RSQSTWVNNSRANCNFSM6AAAAAAS5PKLNM&data=05%7C01%7C%7Ce4842c809eed401ae98508db04ed9e2d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638109190827376782%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XxboyUYEl22WHJkDwHD%2BbYsh9c00wLC8m06GeVF2RB4%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.