Home

Field normalization and categorization at point of ingest on the roadmap?

%3CLINGO-SUB%20id%3D%22lingo-sub-391473%22%20slang%3D%22en-US%22%3EField%20normalization%20and%20categorization%20at%20point%20of%20ingest%20on%20the%20roadmap%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391473%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20data%20normalization%2Fcategorization%20on%20the%20roadmap%3F%20I%20want%20to%20be%20able%20to%20query%20across%20multiple%20tables%20for%20IP%20addresses.%20Currently%2C%20it%20appears%20that%20I%20have%20to%20know%20what%20various%20names%20of%20IP%20address%20fields%20across%20many%20different%20tables.%20Then%20if%20a%20table%20is%20added%2C%20I%20have%20to%20update%20my%20queries.%20Maybe%20that's%20supposed%20to%20be%20done%20through%20Alerts%2C%20but%20that%20seems%20pretty%20late%20in%20the%20event%20data%20processing%20pipeline.%20Am%20I%20overlooking%20something%20here%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20bear%20in%20mind%20that%20my%20perspective%20is%20heavily%20ArcSight-oriented.%20I%20tend%20to%20look%20at%20SIEM%20though%20that%20lens.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391735%22%20slang%3D%22en-US%22%3ERe%3A%20Field%20normalization%20and%20categorization%20at%20point%20of%20ingest%20on%20the%20roadmap%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391735%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20product%20group%20will%20have%20to%20say%20if%20normalization%20is%20on%20the%20cards%2C%20you%20can%20check%20the%20Tables%2C%20if%20you%20have%20a%20test%20IP%20address.%26nbsp%3B%20This%20will%20list%20the%20Table%20name%20%26amp%3B%20tables%20are%20added%20infrequently%20(generally)%20and%20you%20would%20have%20to%20adapt%20your%20query%20to%20JOIN%20%2F%20Union%20this%20new%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Esearch%20%2210.10.10.10%22%0A%7C%20summarize%20count()%20by%20%24table%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
PeterSchawacker
New Contributor

Is data normalization/categorization on the roadmap? I want to be able to query across multiple tables for IP addresses. Currently, it appears that I have to know what various names of IP address fields across many different tables. Then if a table is added, I have to update my queries. Maybe that's supposed to be done through Alerts, but that seems pretty late in the event data processing pipeline. Am I overlooking something here? 

 

Please bear in mind that my perspective is heavily ArcSight-oriented. I tend to look at SIEM though that lens. 

1 Reply

The product group will have to say if normalization is on the cards, you can check the Tables, if you have a test IP address.  This will list the Table name & tables are added infrequently (generally) and you would have to adapt your query to JOIN / Union this new data.

 

search "10.10.10.10"
| summarize count() by $table
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies