creating additional/custom fields in "CommonSecurityLog" currently stored as e.g. "DeviceCustomString1"

Peter Schönegger 21 Reputation points
2020-08-10T11:38:08.54+00:00

Hi,

how can we achieve creating additional fields for logs being processed in "CommonSecurityLog" (https://video2.skills-academy.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog)? At the moment incoming data gets mapped to fields like "DeviceCustomString1" or "DeviceCustomString1Label" using CEF. Is it possible creating additional/custom fields in "CommonSecurityLog"?!

We try connecting Palo Alto Networks firewalling infrastructure to Azure Log Analytics / Sentinel exactly following the guide in Sentinel but we see a lot of incoming data being mapped to fields like "DeviceCustomString1" which don't have a characteristic name. (e.g. "Session ID" -> "DeviceCustomString1", Rule Name -> "DeviceCustomString2"). The real field names get stored in the label fields like "DeviceCustomString2Label".

Many thanks and really appreciate your help on that!!

16759-snap-2020-08-10-at-135721p.png

16630-snap-2020-08-10-at-135627.png

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,122 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.