Creating extra field based on an existing one

Occasional Contributor

Hello folks,

 

Right after logs are ingested to Azure Sentinel, i need to add an additional key/value pair to the schema  and get it populated for every log based on the value of a specific existing key.

 

For example, all logs should have a new field named Country. If the value of Tenant ID in the ingested logs = xyz, then the Country field should be populated as United Stated, and so on. So i have pre-known TenantID - Country mappings, and i would like to insert the country values in all logs.

 

In other SIEM solutions such requirement can be done by using "feeds".

 

Any ideas ?

 

 

 

 

1 Reply

@majo1 : to simulate other SIEMs and add a physical field, you will have to use Logstash for ingestion (see here). However the Sentinel way would be to reference the data using for example externaldata or a Sentinel table ingested using a custom connector. While you will not physically create a new field, you can enrich as part of a query, or if you want a "virtual" field, use a "view" function that will add the field on top of the original event. We are going to write a series of blogs on some of those techniques in the coming weeks.