Forum Discussion
CEF ingestion not parsing all fields or field limitations
I'm trying to get data from palo alto firewalls into sentinel. After fighting through some major issues with documentation and incorrect automatic configuration, we have the data getting into the Com...
Have you checked out the ASIM parser functions that were created to extract this information as needed to see if they provide the information you need?
Yes. They expect these fields to be there. That can easily be verified by looking at the function code. The important fields, like MaliciousIP, ThreatSeverity, and ReportReferenceLink are empty (for the output of _Im_NetworkSession_PaloAltoCEFV05, in this case).
And nothing seems to use these functions any way. The workbooks I've saved from templates all have their own direct queries of the CommonSecurityLog table. Of course they all have similar issues.
Even if the ASIM functions worked and were used elsewhere, their basis of performing string extraction at query time makes no sense. I get that Kusto performs indexing in ways that might not be expected by someone used to SQL Server, but I can't imagine that query-time parsing and partial indexing of string fields can ever be more efficient than a simple string parsing at ingestion.
And nothing seems to use these functions any way. The workbooks I've saved from templates all have their own direct queries of the CommonSecurityLog table. Of course they all have similar issues.
Even if the ASIM functions worked and were used elsewhere, their basis of performing string extraction at query time makes no sense. I get that Kusto performs indexing in ways that might not be expected by someone used to SQL Server, but I can't imagine that query-time parsing and partial indexing of string fields can ever be more efficient than a simple string parsing at ingestion.