Forum Discussion

Steven_Su's avatar
Steven_Su
Copper Contributor
Feb 17, 2022
Solved

Azure Sentinel's "Function" help

Hi,   I want to make use of Function to set up exclusion rule, for example, src_ip=1.1.1.1 AND dest_ip=2.2.2.2, src_ip=3.3.3.3 AND signature=AAA. However, when I create the Function beginning with ...
  • GaryBushey's avatar
    GaryBushey
    Mar 03, 2022

    Steven_Su OK, now I got it.  Sorry for being so obtuse about this one.  You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me).   I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.

     

    If you look at the listing of functions that are available to you, there are a lot that start with _ASim.  Those are the ones that MS created to perform normalization for different tables.

Steven_Su's avatar
Steven_Su
Copper Contributor
Mar 06, 2022
Understood and thank you for your explanation.
Jonhed's avatar
Jonhed
Steel Contributor
Mar 08, 2022

Steven_Su 

Regarding Function 2, it is not exactly what you wanted but you could do it like below.

 

Create function and save as below.

Name: Function2

Parameters:  (string)aws_account_name, (string)src_ip

Function query:

iif(aws_account_name != "DevOps" and src_ip != "10.10.10.10","True","False")

 

Then use it like below.

It is a bit clumsier than what you wanted, but could do the trick.

Function1
| extend Function2 = Function2(aws_account_name,src_ip)
| where Function2 == "True"