Forum Discussion
Porter76
Sep 08, 2023Brass Contributor
Creating a Custom Column in a Data Table and populating from "AdditionalExtensions"
Our Zsclaer logs are pushed to our CommonSecurityLog data table. Zscaler pushes the device name to Sentinel, but for some reason it is not given its own column like the rest of the Data. It is just added to the AdditionalExtensions column.
Is it possible to parse just the "DeviceHostname=X-X-X-X" from "AdditionalExtensions" and add it to its own separate column labeled DeviceHostname?
- CruzAzMicrosoftThe CEF table schema can be found here: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog
If the column doesn't exist, you can always create a Log analytics function and use it as a parser. It will ingest into a Custom Log.- samikroyBrass ContributorThere are 2 ways to address this
1. Modify the Zscalar output feed to map to one of the well know columns (eg. - DeviceCustomString2) to ingest to one of the columns. Reference -
https://www.scribd.com/document/465239018/Zscaler-NSS-4-1-CEF-Config-Guide-2013#
2. Create a Kql function (to parse) like
CommonSecurityLog
| where DeviceVendor == "Zscalar"
| parse AdditionalExtensions with * "DeviceHostname=" DeviceHostname "," *
Creating a new column might not be necessary here.
Hope this helps.