Forum Discussion
Layering Functions to create Normalization
I currently have a customer who has many different firewall types. We use functions to try and normalize the data. 1) Cisco Meraki comes in as a _CL table, and we have a function which runs "extr...
A quick clarification; the "code" formatting functionality of the post isn't happy; it makes it look like I'm leaving stuff off. This is what the AllFW function really looks like:
union CiscoMerakiFW
| union SophosSGFirewall
| union SophosXGFirewall
| union (CommonSecurityLog | where DeviceVendor == "Fortinet" |
project-rename Dst_Port = DestinationPort, Dst_IP = DestinationIP, Src_Port = SourcePort, Src_IP = SourceIP)