CiscoSEG solution's analytics rules refer to a column that does not exist in the function (parser) #11400
Comments
|
Hi @pixel559 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
v-sudkharat
added
Solution
|
@pixel559, We have made the changes in Parser, so could you please custom deploy the below shared Main Temple into your workspace and let us know if your issue resolves : The custom deployment steps are mentioned into below file : Main Template file - mainTemplate.json |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello Team,
There is a problem with the Cisco SEG solution's analytic rules (all of those).
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoSEG
The analytics rules are referencing a function. Picking 'CiscoSEGDLPViolation.yaml' for example. Missing column 'AdditionalFields'.
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Analytic%20Rules/CiscoSEGDLPViolation.yaml
CiscoSEGEvent
| where NetworkDirection =~ 'Outgoing'
| where tostring(AdditionalFields) has 'ESADLPVerdict' //<-------- there is no 'AdditionalFields' defined in the function_
| extend dlp_verdict = extract(@'ESADLPVerdict":"(NOT_EVALUATED|NO TRIGGER|VIOLATION|NO VIOLATION)"', 1, tostring(AdditionalFields))
| where dlp_verdict =~ 'VIOLATION'
| extend AccountCustomEntity = SrcUserName
Looks like the function (parser) needs to be updated or the analytics rules need an update.
Function:
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Parsers/CiscoSEGEvent.yaml
Please update the function/analytics rules.
Thank you!
The text was updated successfully, but these errors were encountered: