This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Generic question

Posted on 10-23-2024 10:26 PM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Team

Recently i came across a scenario where in i am trying to recreate an yara l alert that my colleague created for another project. However at my end i noticed that values are not been seen in that field .  log source is o365 and its ingestion method is identical (o365 management api) we both are using same default parser. He has not done any adhoc parsing too. Any reason? 

0 3 213
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
BrianK
Staff
Reply posted on --/--/---- --:-- AM

Does the value exist in the raw log?  If you compare the logs between each project are they logging the same things?

 

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Another question I'd want to ask is the field an enriched field or unenriched? Unenriched would come in from the parser but enrichment would be dependent upon having user or asset context being populated...

0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

rahul - it seems like all your recent questions are pointing to the same thing here.  First and foremost for o365 are they configured exactly the same for sending the source data? 
which fields are being populated? 
itโ€™s extremely hard to help without knowing exactly what you see. 

0 Likes
Top Solution Authors
View all