Mar 31 2019 10:13 AM
Is data normalization/categorization on the roadmap? I want to be able to query across multiple tables for IP addresses. Currently, it appears that I have to know what various names of IP address fields across many different tables. Then if a table is added, I have to update my queries. Maybe that's supposed to be done through Alerts, but that seems pretty late in the event data processing pipeline. Am I overlooking something here?
Please bear in mind that my perspective is heavily ArcSight-oriented. I tend to look at SIEM though that lens.
Apr 01 2019 03:31 AM
The product group will have to say if normalization is on the cards, you can check the Tables, if you have a test IP address. This will list the Table name & tables are added infrequently (generally) and you would have to adapt your query to JOIN / Union this new data.
search "10.10.10.10" | summarize count() by $table