azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard
verified publisher icon MicrosoftDocs

CommonSecurityLog Table does not show Outcome Field in Sentinel Workspace

Open mlaraibkhan opened this issue 3 years ago • 7 comments

CommonSecurityLog Table does not show Outcome Field in Sentinel Workspace

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

mlaraibkhan avatar Dec 12 '22 11:12 mlaraibkhan

image

The outcome is shown in AdditionalExtensions but not in its own Outcome field as explained in the Official Docs.

image

mlaraibkhan avatar Dec 12 '22 11:12 mlaraibkhan

@LaraibKhan555

Thanks for your feedback! We will investigate and update as appropriate.

RamanathanChinnappan-MSFT avatar Dec 12 '22 16:12 RamanathanChinnappan-MSFT

@LaraibKhan555 I can see in the mentioned link that Outcome field is explained in the docs. https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping#m---p Can you explain in detail what needs to be done from our end.

Also kindly share details regarding image

YashikaTyagii avatar Dec 13 '22 05:12 YashikaTyagii

query_data (1).csv

There's no Outcome field in the CommonSecurityLog table as written in the documentation, but there's one field called EventOutcome in the sentinel CommonSecurityLog schema. Getschema

However, our raw log includes outcome value (success, failure) but it does not appear in the CommonSecurityLog table in sentinel.

mlaraibkhan avatar Dec 13 '22 10:12 mlaraibkhan

SEC-CommonSecurityLog Schema Outcome Field Mapping Issue-131222-1023.pdf

Attaching pdf to explain the issue.

mlaraibkhan avatar Dec 13 '22 10:12 mlaraibkhan

@LaraibKhan555 Thanks for elaborating so well. It makes sense that outcome shown in official docs should be replaced with "Event Outcome". @limwainstein Kindly provide your inputs.

YashikaTyagii avatar Dec 13 '22 11:12 YashikaTyagii

Also note, the issue is not a simple documentation error.

If the outcome is present in the RAW event it should also appear in the CommonSecurityLog table schema under the EventOutcome field.

mlaraibkhan avatar Dec 13 '22 12:12 mlaraibkhan

Thank you for raising this @LaraibKhan555 . We've fixed the doc issue. https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping#m---p

With regards to changes to the schema, please open a Support ticket or consult with the PM team.

limwainstein avatar Dec 20 '22 10:12 limwainstein

#please-close

limwainstein avatar Dec 20 '22 10:12 limwainstein