Forum Discussion

Steven_Su's avatar
Steven_Su
Copper Contributor
Feb 18, 2022

Azure Sentinel's "Function" help

Hi,   I want to make use of Function to set up exclusion rule, for example, src_ip=1.1.1.1 AND dest_ip=2.2.2.2, src_ip=3.3.3.3 AND signature=AAA. However, when I create the Function beginning with ...
  • GaryBushey's avatar
    GaryBushey
    Mar 03, 2022

    Steven_Su OK, now I got it.  Sorry for being so obtuse about this one.  You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me).   I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.

     

    If you look at the listing of functions that are available to you, there are a lot that start with _ASim.  Those are the ones that MS created to perform normalization for different tables.

  • Steven_Su's avatar
    Steven_Su
    Copper Contributor
    Feb 24, 2022

    GaryBushey Hi Sorry for the late reply since we are quite new to Sentinel and wanna migrate our AWS SIEM detection use case to Sentinel

    Now our use case is that we want to have 2 function: 

    Function 1: field normalization (shared and used by all the AWS use case)

    AWSCloudTrail
| project-rename  
  event_name = EventName,
  src_ip = SourceIpAddress,
  target_account_id = RecipientAccountId

     Function 2: exclusion rule for use case A (used by single AWS use case)

    where aws_account_name != "DevOps" and src_ip != "10.10.10.10"

     

    So now we are writing the KQL for the case A which requires the both functions. However it seems no working. In the link: https://docs.microsoft.com/en-us/azure/sentinel/false-positives#modify-the-query it suggested to directly modify the query, but we still want to see if it is possible to keep the exception condition in the function. 

     

    Thank you.

    • GaryBushey's avatar
      GaryBushey
      Bronze Contributor
      Feb 25, 2022

      Steven_Su If you want to add Function 2 as part of Function 1 but want to be able to change the aws_account_name and src_ip, you will need to pass those variables into the function and then use the variables in the code.  Something like

      let CheckAWS = (account:string, ipaddress: string) {
AWSCloudTrail
| where aws_account_name != account and src_ip != ipaddress
}

       

      • Steven_Su's avatar
        Steven_Su
        Copper Contributor
        Feb 27, 2022

        GaryBushey 

        Hi Gary,

        Thank you very much for your response. I guest maybe I am not explaining the issue clearly.
        We want to have 2 separate functions so that we could invoke them in other KQL queries (different AWS use cases) like

        Function1
Function2
|summarize ... by ...

        The Function 1 doing the data normalization is the same for all the queries while Function 2 is the exclusion and is different case by case. That's why we need to create dedicated function for it. So it seems your suggestion may not suit the requirement.

Resources