Nov 28 2019
07:08 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Nov 28 2019
07:08 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Hello folks,
Right after logs are ingested to Azure Sentinel, i need to add an additional key/value pair to the schema and get it populated for every log based on the value of a specific existing key.
For example, all logs should have a new field named Country. If the value of Tenant ID in the ingested logs = xyz, then the Country field should be populated as United Stated, and so on. So i have pre-known TenantID - Country mappings, and i would like to insert the country values in all logs.
In other SIEM solutions such requirement can be done by using "feeds".
Any ideas ?
Dec 12 2019 02:58 PM
@majo1 : to simulate other SIEMs and add a physical field, you will have to use Logstash for ingestion (see here). However the Sentinel way would be to reference the data using for example externaldata or a Sentinel table ingested using a custom connector. While you will not physically create a new field, you can enrich as part of a query, or if you want a "virtual" field, use a "view" function that will add the field on top of the original event. We are going to write a series of blogs on some of those techniques in the coming weeks.