Common data dictionary for network connections

%3CLINGO-SUB%20id%3D%22lingo-sub-1531635%22%20slang%3D%22en-US%22%3ECommon%20data%20dictionary%20for%20network%20connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531635%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20there%20emerged%20a%20common%20data%20dictionary%20for%20network%20connections%20or%20firewall%20logs%3F%20Consider%20a%20situation%20where%20you%20want%20to%20do%20analytics%20across%20network%20logs%20from%20a%20wide%20variety%20of%20devices.%20each%20device%20type%20logs%20with%20different%20names%20(or%20no%20names%20at%20all%20-%20e.g.%20pfSense%20logs%20as%20comma%20separated%20value%20with%20no%20headers).%20It%20makes%20sense%20to%20bring%20all%20logs%20to%20common%20data%20dictionary%20-%20same%2C%20common%20names.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anything%20like%20that%20emerged%20in%20Sentinel%20community%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531767%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20data%20dictionary%20for%20network%20connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531767%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F520442%22%20target%3D%22_blank%22%3E%40truekonrads%3C%2FA%3E%26nbsp%3B%3A%20a%20normalized%20schema%20for%20network%20events%20is%20currently%20in%20private%20preview.%26nbsp%3B%20You%20can%20join%20the%20preview%20program%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20data-cke-saved-href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FSecurityPrP%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

Has there emerged a common data dictionary for network connections or firewall logs? Consider a situation where you want to do analytics across network logs from a wide variety of devices. each device type logs with different names (or no names at all - e.g. pfSense logs as comma separated value with no headers). It makes sense to bring all logs to common data dictionary - same, common names.

 

Has anything like that emerged in Sentinel community?

1 Reply

@truekonrads : a normalized schema for network events is currently in private preview.  You can join the preview program here: https://aka.ms/SecurityPrP