User Profile
J3remy
Copper Contributor
Joined Oct 12, 2019
User Widgets
Recent Discussions
Re: Log Ingestion via Logstash - Custom table
Hi - let's walk backwards a second. You have a schema setup. Did you do this through a DCR, or manually creating the fields on the table? If you didn't edit the DCR to create a transformKql segment, you'll want to use that - and it'll generate the fields for you. When you click on the three dots next to the table name, it'll give an option for "Edit Transformation". When you click that, it'll ask you to drop in a json file. output { microsoft-sentinel-logstash-output-plugin { # The information below is for testing only… set to TRUE to output to a local json file when building the table. create_sample_file=> false sample_file_path => "/usr/share/logstash/output_to_host" } } Use the output above in logstash to have Microsoft give you the json file. You can then use that file, drop it in, and click "next". There you'll have to define "extend" fields to map each field to a name. Keep in mind, when you create new fields (ie, | extend host = extract(...)), the table schema will append a "_s" or "_g" or some such at the end. This is normal, and nothing you can change. If you want it pretty, you'll need to use functions to remap each name to something without the _s / _g / _n / etc. I found it harder to do Custom-SyslogStream than a normal custom table. These links may be of use: https://learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations-structure#kql-limitations519Views0likes0CommentsRe: Expanded Entities Combined in one alert/incident
Not to necro an ancient post, but this seems to be the most prominent page talking about this. Here's the solution I came up with: load the data into a table (or return it from a function). Then join as leftouter on the dataset. let theAlertName = "Some Alert in SecurityAlert"; let days = 1d; let Entities_File = SecurityAlert | where TimeGenerated > ago(days) | where AlertName has theAlertName | extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities)) | mv-apply Entities on ( where Entities.Type == "file" //and isnotempty(Entities.ParentProcess) | extend File_Directory_ = tostring(Entities.Directory) | extend File_FileName_ = tostring(Entities.Name) | extend File_Hash_MD5_ = tostring(Entities.ImageFile.FileHashes[1].Value) | extend File_Hash_SHA1_ = tostring(Entities.ImageFile.FileHashes[0].Value) ) | project SystemAlertId, File_Directory_, File_FileName_, File_Hash_MD5_, File_Hash_SHA1_; SecurityAlert | where TimeGenerated > ago(days) | where AlertName == theAlertName and Status == 'New' | join kind=leftouter Entities_File on SystemAlertId | order by SystemAlertId desc You can then do the same with other entity types, for example to get user-related entity information, substitute this instead: | mv-apply Entities on ( where Entities.Type == "account" | extend ActorName_ = tostring(Entities.Name) | extend ActorDnsDomain_ = tostring(Entities.DnsDomain) | extend ActorSid_ = tostring(Entities.Sid) ) | project SystemAlertId, ActorName_, ActorDnsDomain_, ActorSid_ When using a method like this, it's a good way to pull out all related entities for creating an incident. If there are more than one users or files or processes, they should get included in the incident graph this way...4.9KViews0likes0Comments
Recent Blog Articles
No content to show