Forum Discussion
Logstash collector vs UEBA and Exploration queries
Hello, When using the official and supported Logstash output to ingest events from a WEC server, the table is not named `SecurityEvent` (gets `_CL` appended) and the fields are all appended with ...
Hi Clive,
Thanks for the tips! I wasn't aware of this feature.
Could this be used to map it against a table like SecurityEvents or CommonSecurityEvents used internally by Sentinel in Entity Behavior?
Thanks for the tips! I wasn't aware of this feature.
Could this be used to map it against a table like SecurityEvents or CommonSecurityEvents used internally by Sentinel in Entity Behavior?
It's a feature that helps you with Queries or features that support queries, like Workbooks & Rules. If you create a function called: "mySecurityEvents" none of the built-in blades would be aware of that new name, so a solution like Entity Behaviour wont use this new 'virtual' table. However you could adapt the Entity Behaviour workbook to include this new Table (parser), or include it in custom rules you write.
- indeed, just tested and got this in return:
'''Detected a function and a table with the same name: 'SecurityEvent'. Rename the function to allow it to be used in a query.'''
Will work with LA agent then 🙂