A Big Change is Coming to Sentinel
The CommonSecurityLog table (CEF) will see a big change happening on the 28th February 2023!
Although I had other thoughts and ideas about what my first blog post would be, the upcoming changes to the CommonSecurityLog table (CEF) will be one of the biggest and possibly impactful changes I have seen within Microsoft Sentinel for some time. Although information about this change was released last year on the 25th October 2022 this has gone under the radar (at least for me) until now.
On the 28th February 2023 Microsoft plan to introduce a change to the CommonSecurityLog (CEF) table schema along with a fix for escaped characters. A summary of changes can be seen below:
Source: https://techcommunity.microsoft.com
As the CommonSecurityLog table is widely used by many Microsoft Sentinel customers/MSSPs to ingest syslog data in a CEF format, this change will reach a lot of customers. However, this change may only impact a small percentage of those using this table. As Microsoft’s out-of-the-box content will be updated to use the new schema, the increased risk will be with customers/MSSPs that have created custom detection rules, hunting queries, workbooks, parsers, ect. It is vital for any custom content that has been created to be review and updated to use the new schema.
If a review is not completed on any custom detection rules, workbooks, parsers, ect. there is a high possibility that this content might not work after the 28th February 2023, this could lead to customers and MSSP’s missing detections and loosing visibility they once had.
Microsoft have released recommended actions to any customers/MSSPs that are using custom content against the CommonSecurityLog table.
Update! When the latest version of the out-of-the-box content has been released, ensure content such as detection rules, workbooks, workbooks, ect. have been updated to use the latest schema version.
Review that any custom content created will be applicable with the new schema and update accordingly.
Testing will be key to understand any updates made to custom content will work on the 28th February after the schema change. This is why Microsoft have provided the below KQL query to utilize a Data Collection Rule (DCR) to mimic the data flow into the new columns. It is highly recommend this is configured in a non-production sentinel workspace to avoid impacting live monitoring.
source
| extend ExtID = tostring(ExternalID)
| extend FieldDeviceCustomNumber1 = tolong(DeviceCustomNumber1)
| extend FieldDeviceCustomNumber2 = tolong(DeviceCustomNumber2)
| extend FieldDeviceCustomNumber3 = tolong(DeviceCustomNumber3)
| extend Reason = (extract(@"reason=(.*?)(;|$)", 1, AdditionalExtensions))
| extend EventOutcome = (extract(@"outcome=(.*?)(;|$)", 1, AdditionalExtensions))
| extend DeviceEventCategory = (extract(@"cat=(.*?)(;|$)", 1, AdditionalExtensions))Source: https://techcommunity.microsoft.com
For more information please visit the Microsoft post about this change Here.
I will be writing more blog posts around once a fortnight on new exciting developments within the Microsoft Azure platform focusing on their security products, How-to guides, and thoughts around improvements. If you want to follow then please Subscribe below, its free!