cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

how to add custom field in "CommonSecurityLog" Table

akshay250692
Brass Contributor

‎Oct 31 2022 03:09 AM

‎Oct 31 2022 03:09 AM

how to add custom field in "CommonSecurityLog" Table

Hi Guys,

 

I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is going to overlap. thats why i have to run  query with "OR" operator so Threat "cat" field will not overlap with System "cat" field. Please help me.

.

CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)

 

combined with "OR" condition

 

| where Activity == "SYSTEM"
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)

379 Views
0 Likes
0 Replies
Reply
0 Replies