Logstash collector vs UEBA and Exploration queries

Hello, When using the official and supported Logstash output to ingest events from a WEC server, the table is not named `SecurityEvent` (gets `_CL` appended) and the fields are all appended with ...

data collection

KQL

ueba

CliveWatson

Former Employee

Oct 07, 2020

milkmix_

Have you considered using a Parser - this is an example: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Teams_parser.txt

I used this syntax recently to map a _CL with another Table - saved as a function called InfoP. You will probably want to map multiple columns, see the example for ideas.

union withsource=tt InformationProtectionLogs_CL, InformationProtectionEvents
| extend User = iif(isempty(User),UserId_s,User)

InfoP
| project User

milkmix_
Copper Contributor
Oct 07, 2020
Hi Clive,

Thanks for the tips! I wasn't aware of this feature.
Could this be used to map it against a table like SecurityEvents or CommonSecurityEvents used internally by Sentinel in Entity Behavior?
- CliveWatson
  Former Employee
  Oct 07, 2020
  It's a feature that helps you with Queries or features that support queries, like Workbooks & Rules. If you create a function called: "mySecurityEvents" none of the built-in blades would be aware of that new name, so a solution like Entity Behaviour wont use this new 'virtual' table. However you could adapt the Entity Behaviour workbook to include this new Table (parser), or include it in custom rules you write.
  - milkmix_
    Copper Contributor
    Oct 07, 2020
    indeed, just tested and got this in return:
    '''Detected a function and a table with the same name: 'SecurityEvent'. Rename the function to allow it to be used in a query.'''
    
    Will work with LA agent then 🙂

Forum Discussion

Logstash collector vs UEBA and Exploration queries

Resources