This message originated from Cribl Community Slack.
Click here to view the original link.
I am planning to create a custom table in Microsoft Sentinel for Zscaler Deception logs using DCR/DCE. The intended table schema contains 124 SOC‑relevant fields.
However, the source logs are event‑driven, and at present only 59 fields are being populated. These 59 fields are already parsed, normalized, and enriched in Cribl before being sent to the Sentinel destination.
If I define a custom table schema with all 124 fields, will the incoming logs from Cribl correctly map the available 59 fields to their respective columns, while the remaining fields stay empty/null when querying data in Sentinel?
Additionally, can someone guide me on which parsing and transformation functions should be used (for example, in Cribl and/or DCR transformations) to ensure proper field mapping and schema alignment?
Links for this message:
Screenshot 2026-02-13 181231.png
Solved
Custom Table Schema In Microsoft Sentinel Not Mapping All Fields From Cribl Logs
Best answer by david.phan648
The DCR you create will map the data to the custom column you created. You need to have a custom table in Sentinel as well. If there's not value in the logs, those remaing fields would be empty.
When you create the custom table in sentinel, you need to ensure your data type matches what you declare in your DCR, otherwise you'll get errors or your data won't show as expected. So, if you set Hostname to string in your custom table, make sure that Hostname is declared as string as well in the DCR.
Assuming the data is syslog, you'll likely need a parser and then an eval.
Just make sure what you have in your DCR aligns with what you have in your custom table in Sentinel.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.