Jun 12 2020
06:54 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Jun 12 2020
06:54 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Hello All -
Wondering if anyone else has/is encountering some odd behavior with log indexing to uncommon fields? Recently we discovered when we we doing queries in Sentinel/Log Analytics Workspace we would be getting results but the columns would be empty but the count would be high. We then discovered that many new fields had been populated such as: UserId_, ClientIP_,Site_ All of these fields have an underscore and are not part of the supported Connectors (Office 365). Whats more bizarre is that sometime data is indexed to the common support field such as UserId and the next record is indexed to UserId_ This makes it a nightmare to query, run Workbooks, Playbooks etc. Just curious if anyone else is seeing this?
Jun 14 2020 11:26 PM
Hi @TheriumSec,
This was a system issue. The issue has been resolved and data should consistently appear in the documented fields.
~ Ofer
Jun 17 2020 07:30 AM
Hi @Ofer_Shezaf
Thank you for your insight into this issue. We are now seeing the data mapping to the proper fields, however the newly created fields such as UserId_, ClientIP_, OrganizationId_, etc. are all still being populated as well. Also when this occurred it caused historical data to be misrepresented in unsupported fields and not even written to in the supported fields, that has not been fixed. Is anyone else noticing this specific to Office 365 logs in Sentinel?