Azure
EventOutcome field and value do not appear in CommonSecurityLog table
Microsoft CEF event mapping documentation says the Outcome field is mapped in the CommonSecurityLog table.
However, there's no Outcome field in the CommonSecurityLog schema. But there's one field called EventOutcome as shown in MS Sentinel below.
Although once a CEF event arrived in the Sentinel. The outcome value does not appear in the correct field, despite the outcome being set in the raw event.
outcome value appears in AdditonalExtensions
Issue
The document version of CommonSecurityEvent schema mapping and MS Sentinel version of CommonSecurityEvent schema should be homogenous.
Bug-1
Raw events contain outcome values (success or failure) that appear in AdditionalExtension and not in the EventOutcome field.
Bug-2
Once the Raw event has the EventOutcome field, it completely disappears from the CommonSecurityEvent table.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
@LaraibKhan555 The documentation for the schema change has been updated. Please refer the documentation links below: https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog Closing the issue as this is fixed.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.