Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to access Null fields in Parsers

Copper Contributor

Hi,

 

We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on parsers, and we are trying to replicate the data fields as in Splunk. In Splunk, even though if all the values of a particular field, say name, are null in all the events, then that field will be shown null in all the events.
But in Azure if all the events, of a particular field is null, then Azure removes that particular field.
So as we want to replicate fields to as that of parsers, we can't access that particular field, say name, as azure removed that field. So In parser's if we create a new field statically, name="", then that field will be present. 
But if the value comes in any 1 event out of 1000's, then this static representation would cause Data Loss.

 

So, Can someone help me determine how can we import those null fields into our logs, or method can we use to get those null fields, which Azure removed.

5 Replies

@Ronak_Shah Take a look at the KQL command  column_ifexists() - Azure Data Explorer | Microsoft Docs

It will check to see if a column exists and, if it does, will return its value, otherwise return a default value

@Gary Bushey 

 

Hi, Thanks for your response
Actually, the command  column_ifexists(), will be implemented in the parsers, and it will be useful when we actually know the column name. In column_ifexists('column_name',''), it will check if the 'column_name' column is present or not, if not then null value will be added, But this is all possible when we actually know the 'column_name'. 
And as Azure has removed the column with null field, so it has actually removed our access to the column_name, So how do we know then what to actually type in the 'column_name' name.


So is their any method in which, we don't allow azure to remove that column's with null fields.

@Ronak_Shah Wouldn't the system that is sending the data have a list of the fields it is sending?

@Gary Bushey 

Hi, Thanks for your response


Actually yes, the system that is sending the data have a list of the fields it is sending, But when we pass the data through API to the Azure sentinel, Azure while parsing the data, changes the field names.

Like for eg. In our system we sent fields "name" --> then azure checked for the values of those fields

              --> If the values are null for all the events, then that field is removed

              --> If the field is not null, then that field is present in azure, with a new name say "name_s"

So our concern is, if the fields is removed by azure, how do we know whether that field will come with the name of "name_s" or "something_else"?,

so that we can then write column_ifexists('name_s','') or column_ifexists('something_else','')

@Ronak_Shah Because you are writing this yourself and it is going to a custom table, the fields have the data type appended to them (no idea why, personally I find that quite annoying).  So you will know that a field being sent as "name" will come through as "name_s" if it is a string so you will be able to use column_ifexists('name_s','')