Forum Discussion
CruzAz
Microsoft
The CEF table schema can be found here: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog
If the column doesn't exist, you can always create a Log analytics function and use it as a parser. It will ingest into a Custom Log.
If the column doesn't exist, you can always create a Log analytics function and use it as a parser. It will ingest into a Custom Log.
samikroy
Sep 11, 2023Brass Contributor
There are 2 ways to address this
1. Modify the Zscalar output feed to map to one of the well know columns (eg. - DeviceCustomString2) to ingest to one of the columns. Reference -
https://www.scribd.com/document/465239018/Zscaler-NSS-4-1-CEF-Config-Guide-2013#
2. Create a Kql function (to parse) like
CommonSecurityLog
| where DeviceVendor == "Zscalar"
| parse AdditionalExtensions with * "DeviceHostname=" DeviceHostname "," *
Creating a new column might not be necessary here.
Hope this helps.
1. Modify the Zscalar output feed to map to one of the well know columns (eg. - DeviceCustomString2) to ingest to one of the columns. Reference -
https://www.scribd.com/document/465239018/Zscaler-NSS-4-1-CEF-Config-Guide-2013#
2. Create a Kql function (to parse) like
CommonSecurityLog
| where DeviceVendor == "Zscalar"
| parse AdditionalExtensions with * "DeviceHostname=" DeviceHostname "," *
Creating a new column might not be necessary here.
Hope this helps.