Sep 24 2020
- last edited on
Dec 23 2021
When using the official and supported Logstash output to ingest events from a WEC server, the table is not named `SecurityEvent` (gets `_CL` appended) and the fields are all appended with their types (due to the LogAnalytics API, documented behaviour). This breaks features such as the Exploration Queries (to pivot from investigation blade) which all expect the table to be named `SecurityEvent` with specific fields.
Do you plan to allow to create SecurityEvent table with proper fields through your official Logstash output or do you plan to allow to define mapping so that we could define that SecurityEvent table is corresponding to (example) Windows_CL and that field `EventID` is mapped to `EventID_d` (mapping to be defined by contributor for all fields required by UEBA/Exploration Queries)?
Oct 07 2020 02:25 AM
Have you considered using a Parser - this is an example: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Teams_parser.txt
I used this syntax recently to map a _CL with another Table - saved as a function called InfoP. You will probably want to map multiple columns, see the example for ideas.
union withsource=tt InformationProtectionLogs_CL, InformationProtectionEvents | extend User = iif(isempty(User),UserId_s,User)
| project User
Oct 07 2020 02:49 AM
Oct 07 2020 02:56 AM
Oct 07 2020 03:03 AM