Creating a Custom Column in a Data Table and populating from "AdditionalExtensions"

Brass Contributor

Our Zsclaer logs are pushed to our CommonSecurityLog data table. Zscaler pushes the device name to Sentinel, but for some reason it is not given its own column like the rest of the Data. It is just added to the AdditionalExtensions column.

 

Is it possible to parse just the "DeviceHostname=X-X-X-X" from "AdditionalExtensions" and add it to its own separate column labeled DeviceHostname?

 

 

2 Replies
The CEF table schema can be found here: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog

If the column doesn't exist, you can always create a Log analytics function and use it as a parser. It will ingest into a Custom Log.
There are 2 ways to address this
1. Modify the Zscalar output feed to map to one of the well know columns (eg. - DeviceCustomString2) to ingest to one of the columns. Reference -
https://www.scribd.com/document/465239018/Zscaler-NSS-4-1-CEF-Config-Guide-2013#
2. Create a Kql function (to parse) like
CommonSecurityLog
| where DeviceVendor == "Zscalar"
| parse AdditionalExtensions with * "DeviceHostname=" DeviceHostname "," *

Creating a new column might not be necessary here.
Hope this helps.