Forum Discussion

Steven_Su's avatar
Steven_Su
Copper Contributor
Feb 18, 2022

Azure Sentinel's "Function" help

Hi,

 

I want to make use of Function to set up exclusion rule, for example, src_ip=1.1.1.1 AND dest_ip=2.2.2.2, src_ip=3.3.3.3 AND signature=AAA. However, when I create the Function beginning with "|" or "where", it could not be loaded in the original search. We did not include the data source here because we have another function to do the data normalization.

 

So could I still use Function in this way or is there any other better approach to do such exclusion? Thanks!

  • GaryBushey's avatar
    GaryBushey
    Mar 03, 2022

    Steven_Su OK, now I got it.  Sorry for being so obtuse about this one.  You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me).   I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.

     

    If you look at the listing of functions that are available to you, there are a lot that start with _ASim.  Those are the ones that MS created to perform normalization for different tables.

    • Steven_Su's avatar
      Steven_Su
      Copper Contributor
      Feb 24, 2022

      GaryBushey Hi Sorry for the late reply since we are quite new to Sentinel and wanna migrate our AWS SIEM detection use case to Sentinel

      Now our use case is that we want to have 2 function: 

      Function 1: field normalization (shared and used by all the AWS use case)

      AWSCloudTrail
| project-rename  
  event_name = EventName,
  src_ip = SourceIpAddress,
  target_account_id = RecipientAccountId

       Function 2: exclusion rule for use case A (used by single AWS use case)

      where aws_account_name != "DevOps" and src_ip != "10.10.10.10"

       

      So now we are writing the KQL for the case A which requires the both functions. However it seems no working. In the link: https://docs.microsoft.com/en-us/azure/sentinel/false-positives#modify-the-query it suggested to directly modify the query, but we still want to see if it is possible to keep the exception condition in the function. 

       

      Thank you.

      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor
        Feb 25, 2022

        Steven_Su If you want to add Function 2 as part of Function 1 but want to be able to change the aws_account_name and src_ip, you will need to pass those variables into the function and then use the variables in the code.  Something like

        let CheckAWS = (account:string, ipaddress: string) {
AWSCloudTrail
| where aws_account_name != account and src_ip != ipaddress
}

         

Resources