1,295 questions
Hi ppal,
It's likely left joins don't work the way you expect.
As you can see in this example, null matches may be getting returned.
Try your query w/o the summarization to see.
joinoperator
KQL - join condition issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 8%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Georgi Palazov
286
Reputation points
Hello,
I'm trying to enrich the logs coming from Oracle in Sentinel for a customer. It seems that the only unique field from the OracleDatabaseAuditEvent table is DbId and this is what I'll use.
The way to enrich the events from the Oracle feed is to match the DbId column(which seems to be unique for Oracle) of the OracleDatabaseAuditEvent table in Sentinel with a watchlist containing more information for each database. Where there are matches between thewatchlist and the table in Sentinel these events are enriched, if there's no match Sentinel returns just the record of OracleDatabaseAuditEvent table.
Unfortunately that is not the case, because the watchlist(list sent from the Oracle team) contains names of databases with duplicate DbId in some rows.
Oracle events for the last hour:
I use leftouter to keep the results of the OracleDatabaseAuditEvent even if the join condition doesn't find any matching record from the watchlist:
My questions are:
- Why do I get more logs count after joining the tables? If i'm doing everything the right way it seems I should be getting the same exact count of events(or close). I assume Sentinel produces more records, because of the duplication in the DbId column from the watchlist?
- I came upon this - https://dba.stackexchange.com/questions/178129/oracle-dbid-what-is-logic-to-create-oracle-dbid - Does this mean that the Oracle team have copies of their DBs and this is why there are duplicate DbId s?
- How do I enrich the events then if that's not the case?
Microsoft Security | Microsoft Sentinel
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator2022-11-15T13:28:29.23+00:00 Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment
1 answer
Sort by: Most helpful
-
David Broggy 6,371 Reputation points MVP Volunteer Moderator2022-11-08T19:41:53.23+00:00