User Profile
majo1
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Creating extra field based on an existing one
Hello folks, Right after logs are ingested to Azure Sentinel, i need to add an additional key/value pair to the schema and get it populated for every log based on the value of a specific existing key. For example, all logs should have a new field named Country. If the value of Tenant ID in the ingested logs = xyz, then the Country field should be populated as United Stated, and so on. So i have pre-known TenantID - Country mappings, and i would like to insert the country values in all logs. In other SIEM solutions such requirement can be done by using "feeds". Any ideas ?1KViews0likes1CommentCreating new field in logs based on existing one
Hello, So as the logs are ingested in Azure Sentinel, i want to add a new key/value to the logs table based on a key that already exists in the logs. For example, the new key is "Country", and if the Tenant-ID value existing in the logs is XYZ then the country should be added "United Stated". How can i add such new key and value to Azure Sentinel Schemas ? In other SIEM Solution, this is achieved by using Feeds. Thanks.Solved6.8KViews0likes4CommentsInfoblox and Parsing Questions
Hello, Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ? I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logging categories, such as DNS Queries/Responses, are logged in some non-CEF format over syslog, like the following: ##<166>Dec 23 12:54:05 infoblox1.localdomain named[12821]: client @0x7fbc3c0cc6e0 192.168.80.1#57296 (server1.fwd1): query: server1.fwd1 IN A + (192.168.80.200) I can't even see these logs in the Sentinel Workspace. The logs arrive at the on-repm Syslog Agent and are forwarded to omsagent process over port 25226, but beyond that i don't see them anywhere. The OMSAgent fluentd parsing checks that the incoming message has "CEF or ASA" keywords before processing the message further. Which seems to be a showstopper for the above mentioned syslog message. Please advise: 1. Should we create a custom parser for Infoblox query/response logs or Microsoft has already addressed them ? 2. Does the syslog message(payload) parsing occur at the OMSAgent side or at the Azure Sentinel Workspace side ? 3. By having a vendor connector listed in Azure Sentinel connector list, such as ASA, Fortigate, .., does this mean having "parser" in the background ? I noticed that vendor connectors do query the CommonSecurityLog with filter of "device vendor" , so i don't fully understand the technical meaning of "having a connector for X vendor". 4. How to troubleshoot logs processing and ingestion after the logs are delivered from the syslog daemon to the omsagent daemon? Any troublehsoot files or tables to look into ? Thanks in advance.5.4KViews1like14CommentsRe: Infoblox and Parsing Questions
thomasdefise Thanks Thomas. I don't think "facility" has something to do with the case of infoblox query/response logs, because Fluentd settings match on two keywords in order to process logs further and those are CEF/ASA . Infoblox query/response logs doesn't have any of the two keywords. I understand from you that A Sentinel Connector has nothing to do with parsing. Correct ? Do you know where syslog payload parsing takes place ? At OMSAgent side or At Sentinel WA side ?5.3KViews0likes1CommentRe: Creating new field in logs based on existing one
CliveWatson Thank you for the answer. Customizing logs or modifying them before sending to Azure doesn't seem to be a possible option. The Extend feature is close to my requirement. Question: After the Extend function is done, like the example you provided, is there a way to insert the Extended value back in logs in the database so that the Extended value permanently becomes part of the log? To clarify by example, after i populate the value of CountryCode = 'US', i want the other Analysts to find that value already in the logs whenever they perform queries to the affected table. The requirement can be probably described as Extend at the ingestion time, rather than query time. Thanks in advance6.7KViews0likes2Comments