Siem agent IPv6 Field label inconsistency

%3CLINGO-SUB%20id%3D%22lingo-sub-1589197%22%20slang%3D%22en-US%22%3ESiem%20agent%20IPv6%20Field%20label%20inconsistency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589197%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20the%20siem%20agent%20with%20mcas%2C%20most%20of%20the%20fields%20labels%20have%20no%20spaces%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3Ecs1Label%3DportalURL%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3Ecs2Label%3DuniqueServiceAppIds%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3Ecs3Label%3DtargetObjects%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3Ecs4Label%3DpolicyIDs%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3EWhy%20did%20MS%20decide%20to%20give%20this%20one%20spaces%20and%20quotes%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3Ec6a1Label%3D%22Device%20IPv6%20Address%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3EWe%20will%20modify%20our%20siem%20parsing%20to%20work-around%20this%20but%20it%20is%20an%20unnecessary%20hassle.%20There%20are%20examples%20in%20the%20docs%20here%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsiem%23sample-activity-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsiem%23sample-activity-logs%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3EJ%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1589197%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi all

 

Using the siem agent with mcas, most of the fields labels have no spaces:

 

cs1Label=portalURL

cs2Label=uniqueServiceAppIds

cs3Label=targetObjects

cs4Label=policyIDs

 

Why did MS decide to give this one spaces and quotes?

c6a1Label="Device IPv6 Address"

 

We will modify our siem parsing to work-around this but it is an unnecessary hassle. There are examples in the docs here:

https://docs.microsoft.com/en-us/cloud-app-security/siem#sample-activity-logs

 

Regards

J

 

0 Replies