When setting up Microsoft Sentinel using the Microsoft Log Analytics Workspace, you might stumble upon a missing piece – the 'msg_s' column or 'ClientIp_s' from the table 'AzureDiagnostics' . These missing columns can cause failure when running queries or configuring the Analytical rules.
This issue arises because the 'msg_s' and 'ClientIp_s' columns aren't initially part of the 'AzureDiagnostics' table. It only appears when you enable diagnostic settings for Azure Firewall. This column gets filled with important information from the firewall logs.
Once we enable the diagnostic setting and the logs start flowing into Log Analytics Workspace, and voilà – the 'msg_s' column magically appears.
Understanding this process is key to smoothly deploying use cases in Sentinel. It's all about getting those Azure Firewall logs into your workspace. Once you do, you'll unlock valuable insights for threat detection and response.
In conclusion, while encountering a missing 'msg_s' and 'ClientIp_s' column in the 'AzureDiagnostics' table may initially seem like a hurdle, understanding its dependency on diagnostic settings for Azure Firewall offers a straightforward solution.
Disclaimer
The views expressed in this blog post are solely my own and do not represent those of my employer or any clients. The views and opinions expressed in this blog post are based on references from Microsoft articles. Assistance from ChatGPT is taken for customizing the blog.