Forum Discussion
Steven_Su
Feb 18, 2022Copper Contributor
Azure Sentinel's "Function" help
Hi, I want to make use of Function to set up exclusion rule, for example, src_ip=1.1.1.1 AND dest_ip=2.2.2.2, src_ip=3.3.3.3 AND signature=AAA. However, when I create the Function beginning with ...
- Mar 03, 2022
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Steven_Su
Mar 06, 2022Copper Contributor
Understood and thank you for your explanation.
Jonhed
Mar 08, 2022Steel Contributor
Regarding Function 2, it is not exactly what you wanted but you could do it like below.
Create function and save as below.
Name: Function2
Parameters: (string)aws_account_name, (string)src_ip
Function query:
iif(aws_account_name != "DevOps" and src_ip != "10.10.10.10","True","False")
Then use it like below.
It is a bit clumsier than what you wanted, but could do the trick.
Function1
| extend Function2 = Function2(aws_account_name,src_ip)
| where Function2 == "True"