Forum Discussion
Layering Functions to create Normalization
I currently have a customer who has many different firewall types. We use functions to try and normalize the data. 1) Cisco Meraki comes in as a _CL table, and we have a function which runs "extr...
I did get it working. It's just making sure the syntax is exact. So this is how my "AllFW" function works now:
union isfuzzy=true CiscoMerakiFW
| union isfuzzy=true SophosSGFirewall
| union isfuzzy=true SophosXGFirewall
| union isfuzzy=true (CommonSecurityLog | where DeviceVendor == "Fortinet"
| extend Dst_Port = tostring(DestinationPort), Dst_IP = DestinationIP, Src_Port = tostring(SourcePort), Src_IP = SourceIP)
When playing with this I noticed a 'new' column, "Dst_Port_Int" which I wasn't expecting, so I picked-up on some potential data-type issues. Once I remembered about "isfuzzy" it all came together.