Forum Discussion
Creating a Custom Column in a Data Table and populating from "AdditionalExtensions"
Our Zsclaer logs are pushed to our CommonSecurityLog data table. Zscaler pushes the device name to Sentinel, but for some reason it is not given its own column like the rest of the Data. It is just a...
The CEF table schema can be found here: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog
If the column doesn't exist, you can always create a Log analytics function and use it as a parser. It will ingest into a Custom Log.
If the column doesn't exist, you can always create a Log analytics function and use it as a parser. It will ingest into a Custom Log.
- There are 2 ways to address this
1. Modify the Zscalar output feed to map to one of the well know columns (eg. - DeviceCustomString2) to ingest to one of the columns. Reference -
https://www.scribd.com/document/465239018/Zscaler-NSS-4-1-CEF-Config-Guide-2013#
2. Create a Kql function (to parse) like
CommonSecurityLog
| where DeviceVendor == "Zscalar"
| parse AdditionalExtensions with * "DeviceHostname=" DeviceHostname "," *
Creating a new column might not be necessary here.
Hope this helps.
