Home

Creating extra field based on an existing one

%3CLINGO-SUB%20id%3D%22lingo-sub-1038419%22%20slang%3D%22en-US%22%3ECreating%20extra%20field%20based%20on%20an%20existing%20one%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1038419%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20after%20logs%20are%20ingested%20to%20Azure%20Sentinel%2C%20i%20need%20to%20add%20an%20additional%20key%2Fvalue%20pair%20to%20the%20schema%26nbsp%3B%20and%20get%20it%20populated%20for%20every%20log%20based%20on%20the%20value%20of%20a%20specific%20existing%20key.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20all%20logs%20should%20have%20a%20new%20field%20named%20Country.%20If%20the%20value%20of%20Tenant%20ID%20in%20the%20ingested%20logs%20%3D%20xyz%2C%20then%20the%20Country%20field%20should%20be%20populated%20as%20United%20Stated%2C%20and%20so%20on.%20So%20i%20have%20pre-known%20TenantID%20-%20Country%20mappings%2C%20and%20i%20would%20like%20to%20insert%20the%20country%20values%20in%20all%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20other%20SIEM%20solutions%20such%20requirement%20can%20be%20done%20by%20using%20%22feeds%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1038419%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
majo1
New Contributor

Hello folks,

 

Right after logs are ingested to Azure Sentinel, i need to add an additional key/value pair to the schema  and get it populated for every log based on the value of a specific existing key.

 

For example, all logs should have a new field named Country. If the value of Tenant ID in the ingested logs = xyz, then the Country field should be populated as United Stated, and so on. So i have pre-known TenantID - Country mappings, and i would like to insert the country values in all logs.

 

In other SIEM solutions such requirement can be done by using "feeds".

 

Any ideas ?

 

 

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies