Forum Discussion

ManishaPatil's avatar
ManishaPatil
Copper Contributor
Aug 14, 2025

Standard Ontology and SIEM Field Mapping

Hello Community, We are working on a Microsoft Sentinel → Google Chronicle integration and need to automate the SIEM Field Mapping process between the two platforms Sentinel and google chronicle Sc...
KQL
DylanInfosec's avatar
DylanInfosec
Iron Contributor
Aug 17, 2025

HeyManishaPatil​ ,

I don’t have experience with Chronicle so I’d recommend first investigating if there are any native parsers thought I doubt they’d meet your requirements. Each table you’re ingesting from Sentinel is going to have its own unique schema. This why you see some KQL with join statements like ‘join <t> on $left.principaluseremail == $right.userprincipalname’

 

As for API/PowerShell module to help you build out automation, pick your preference: 

  1. Rest API: https://learn.microsoft.com/en-us/rest/api/loganalytics/tables/get?view=rest-loganalytics-2025-02-01
  2. PowerShell module: https://learn.microsoft.com/en-us/powershell/module/az.operationalinsights/get-azoperationalinsightstable?view=azps-14.3.0 

Either should help you get metadata on the tables and their columns that you need. 

Depending on the amount of data and/or  varying data connectors you have configured, you might want to consider normalizing the data before mapping. Not only could this effort help make your data easier to map over but it could great improve its operational effectiveness within Sentinel. https://learn.microsoft.com/en-us/azure/sentinel/normalization 

Best regards,

Dylan

Resources