creating additional/custom fields in "CommonSecurityLog" currently stored as e.g. "DeviceCustomString1"

Question

creating additional/custom fields in "CommonSecurityLog" currently stored as e.g. "DeviceCustomString1"

Peter Schönegger 21

Hi,

how can we achieve creating additional fields for logs being processed in "CommonSecurityLog" (https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog)? At the moment incoming data gets mapped to fields like "DeviceCustomString1" or "DeviceCustomString1Label" using CEF. Is it possible creating additional/custom fields in "CommonSecurityLog"?!

We try connecting Palo Alto Networks firewalling infrastructure to Azure Log Analytics / Sentinel exactly following the guide in Sentinel but we see a lot of incoming data being mapped to fields like "DeviceCustomString1" which don't have a characteristic name. (e.g. "Session ID" -> "DeviceCustomString1", Rule Name -> "DeviceCustomString2"). The real field names get stored in the label fields like "DeviceCustomString2Label".

Many thanks and really appreciate your help on that!!

Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-10T19:50:35.787+00:00

@Peter Schönegger

Regarding your statement -
we see a lot of incoming data being mapped to fields like "DeviceCustomString1" which don't have a characteristic name. (e.g. "Session ID" -> "DeviceCustomString1", Rule Name -> "DeviceCustomString2")

Can you please provide an example (include images) of DeviceCustomString1. I only see DeviceCustomNumber1,DeviceCustomNumber1label in your screenshot. Also, what is the query you are trying to execute on security logs workspace.
Peter Schönegger 21 Reputation points

2020-08-11T07:14:35.313+00:00

Hi, many thanks for your message and help on that which I really appreciate! Please find a full log entry of the search query below:

All the best from Vienna,

Peter
Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-11T20:40:25.06+00:00

@Peter Schönegger Sorry, but you cannot modify these fields names. About adding a custom field to Azure Monitor logs may work in your case. I am not able to validate the same as I need to set up the Palo Alto Firewall. Please refer to the Create custom fields in a Log Analytics workspace in Azure Monitor for details. This is currently in preview though and preview features are generally not recommended for production use as few things may change when it goes to GA. Hope this helps.
Additionally, I am checking internally with the products team on the same and update you once I hear back.

Accepted answer

0 additional answers

Your answer

Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-10T19:50:35.787+00:00

@Peter Schönegger

Regarding your statement -
we see a lot of incoming data being mapped to fields like "DeviceCustomString1" which don't have a characteristic name. (e.g. "Session ID" -> "DeviceCustomString1", Rule Name -> "DeviceCustomString2")

Can you please provide an example (include images) of DeviceCustomString1. I only see DeviceCustomNumber1,DeviceCustomNumber1label in your screenshot. Also, what is the query you are trying to execute on security logs workspace.
Peter Schönegger 21 Reputation points

2020-08-11T07:14:35.313+00:00

Hi, many thanks for your message and help on that which I really appreciate! Please find a full log entry of the search query below:

All the best from Vienna,

Peter
Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-11T20:40:25.06+00:00

@Peter Schönegger Sorry, but you cannot modify these fields names. About adding a custom field to Azure Monitor logs may work in your case. I am not able to validate the same as I need to set up the Palo Alto Firewall. Please refer to the Create custom fields in a Log Analytics workspace in Azure Monitor for details. This is currently in preview though and preview features are generally not recommended for production use as few things may change when it goes to GA. Hope this helps.
Additionally, I am checking internally with the products team on the same and update you once I hear back.

Answer 1

Saurabh Sharma 23,851 Microsoft Employee Moderator

@Peter Schönegger I have received confirmation from PG team that they are currently not supporting adding custom fields to table. Palo Alto recommended configuration sends this fields the those fields, other extra fields will be sent to "AdditionalExtensions" field. Also, they are already aware of the importance of this requirement for many customers so they are working to provide a solution in the up coming year.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Peter Schönegger 21 Reputation points

2020-08-17T04:29:29.897+00:00

Thanks a lot for your feedback on this issue and for double checking with your PG team! Really appreciate that! It would be very important having a solution for that in the future by simply making it possible adding custom fields to the CommonSecurityLog table. Take care and best regards, Peter
Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-17T15:44:39.62+00:00

@Peter Schönegger I agree, thanks for accepting the answer. Take care.
Sivulich, Scott (OIT) 0 Reputation points

2023-07-10T22:43:13.7266667+00:00

Was there ever a solution found to this issue? I want to modify the field names in commonsecuritylog for Zscaler logs.

Share via

creating additional/custom fields in "CommonSecurityLog" currently stored as e.g. "DeviceCustomString1"

0 additional answers

Your answer