Forum Discussion
Azure Sentinel's "Function" help
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Regarding Function 2, it is not exactly what you wanted but you could do it like below.
Create function and save as below.
Name: Function2
Parameters: (string)aws_account_name, (string)src_ip
Function query:
iif(aws_account_name != "DevOps" and src_ip != "10.10.10.10","True","False")Then use it like below.
It is a bit clumsier than what you wanted, but could do the trick.
Function1 | extend Function2 = Function2(aws_account_name,src_ip) | where Function2 == "True"
