cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating extra field based on an existing one

majo1
Copper Contributor

‎Nov 28 2019 07:08 AM - last edited on ‎Dec 23 2021 10:02 AM by

‎Nov 28 2019 07:08 AM - last edited on ‎Dec 23 2021 10:02 AM by

Creating extra field based on an existing one

Hello folks,

 

Right after logs are ingested to Azure Sentinel, i need to add an additional key/value pair to the schema  and get it populated for every log based on the value of a specific existing key.

 

For example, all logs should have a new field named Country. If the value of Tenant ID in the ingested logs = xyz, then the Country field should be populated as United Stated, and so on. So i have pre-known TenantID - Country mappings, and i would like to insert the country values in all logs.

 

In other SIEM solutions such requirement can be done by using "feeds".

 

Any ideas ?

 

 

 

 

747 Views
0 Likes
1 Reply
Reply
1 Reply
Ofer_Shezaf

‎Dec 12 2019 02:58 PM

‎Dec 12 2019 02:58 PM

Re: Creating extra field based on an existing one

@majo1 : to simulate other SIEMs and add a physical field, you will have to use Logstash for ingestion (see here). However the Sentinel way would be to reference the data using for example externaldata or a Sentinel table ingested using a custom connector. While you will not physically create a new field, you can enrich as part of a query, or if you want a "virtual" field, use a "view" function that will add the field on top of the original event. We are going to write a series of blogs on some of those techniques in the coming weeks.

0 Likes
Reply