Odd Field mapping behavour

%3CLINGO-SUB%20id%3D%22lingo-sub-1458976%22%20slang%3D%22en-US%22%3EOdd%20Field%20mapping%20behavour%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1458976%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWondering%20if%20anyone%20else%20has%2Fis%20encountering%20some%20odd%20behavior%20with%20log%20indexing%20to%20uncommon%20fields%3F%20Recently%20we%20discovered%20when%20we%20we%20doing%20queries%20in%20Sentinel%2FLog%20Analytics%20Workspace%20we%20would%20be%20getting%20results%20but%20the%20columns%20would%20be%20empty%20but%20the%20count%20would%20be%20high.%20We%20then%20discovered%20that%20many%20new%20fields%20had%20been%20populated%20such%20as%3A%20UserId_%2C%20ClientIP_%2CSite_%20All%20of%20these%20fields%20have%20an%20underscore%20and%20are%20not%20part%20of%20the%20supported%20Connectors%20(Office%20365).%20Whats%20more%20bizarre%20is%20that%20sometime%20data%20is%20indexed%20to%20the%20common%20support%20field%20such%20as%20UserId%20and%20the%20next%20record%20is%20indexed%20to%20UserId_%20This%20makes%20it%20a%20nightmare%20to%20query%2C%20run%20Workbooks%2C%20Playbooks%20etc.%20Just%20curious%20if%20anyone%20else%20is%20seeing%20this%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1458976%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1462636%22%20slang%3D%22en-US%22%3ERe%3A%20Odd%20Field%20mapping%20behavour%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1462636%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F697668%22%20target%3D%22_blank%22%3E%40TheriumSec%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20was%20a%20system%20issue.%20The%20issue%20has%20been%20resolved%20and%20data%20should%20consistently%20appear%20in%20the%20documented%20fields.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470823%22%20slang%3D%22en-US%22%3ERe%3A%20Odd%20Field%20mapping%20behavour%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470823%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20insight%20into%20this%20issue.%20We%20are%20now%20seeing%20the%20data%20mapping%20to%20the%20proper%20fields%2C%20however%20the%20newly%20created%20fields%20such%20as%20UserId_%2C%20ClientIP_%2C%20OrganizationId_%2C%20etc.%20are%20all%20still%20being%20populated%20as%20well.%20Also%20when%20this%20occurred%20it%20caused%20historical%20data%20to%20be%20misrepresented%20in%20unsupported%20fields%20and%20not%20even%20written%20to%20in%20the%20supported%20fields%2C%20that%20has%20not%20been%20fixed.%20Is%20anyone%20else%20noticing%20this%20specific%20to%20Office%20365%20logs%20in%20Sentinel%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello All -

 

Wondering if anyone else has/is encountering some odd behavior with log indexing to uncommon fields? Recently we discovered when we we doing queries in Sentinel/Log Analytics Workspace we would be getting results but the columns would be empty but the count would be high. We then discovered that many new fields had been populated such as: UserId_, ClientIP_,Site_ All of these fields have an underscore and are not part of the supported Connectors (Office 365). Whats more bizarre is that sometime data is indexed to the common support field such as UserId and the next record is indexed to UserId_ This makes it a nightmare to query, run Workbooks, Playbooks etc. Just curious if anyone else is seeing this? 

2 Replies

Hi @TheriumSec,

 

This was a system issue. The issue has been resolved and data should consistently appear in the documented fields.

 

~ Ofer

Hi @Ofer_Shezaf 

 

Thank you for your insight into this issue. We are now seeing the data mapping to the proper fields, however the newly created fields such as UserId_, ClientIP_, OrganizationId_, etc. are all still being populated as well. Also when this occurred it caused historical data to be misrepresented in unsupported fields and not even written to in the supported fields, that has not been fixed. Is anyone else noticing this specific to Office 365 logs in Sentinel?