Skip to content

Instantly share code, notes, and snippets.

@azurekid

azurekid/ASIM_snippets.md

Last active June 14, 2023 07:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save azurekid/877e25429c9b7e08e810778b29abba8a to your computer and use it in GitHub Desktop.
Save azurekid/877e25429c9b7e08e810778b29abba8a to your computer and use it in GitHub Desktop.
Download ZIP
ASIM snippets
Raw
ASIM_snippets.md

KQL Snippets

This file contains useful snippets that can be used for the development of ASIM Parsers for Microsoft Sentinel

DstHostname

| extend DstHostname = case(DstHostname != "", DstHostname, DestinationIP)

let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
| extend
    temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any)
  , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)
| extend
  ASimMatchingIpAddr = case(
    array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,"-"
    , temp_SrcMatch and temp_DstMatch, "Both"
    , temp_SrcMatch, "SrcIpAddr"
    , temp_DstMatch, "DstIpAddr"
    , "No match"
  )
| extend 
  ASimMatchingHostname = case(
    array_length(hostname_has_any) == 0, "-"
    , temp_SrcMatch and temp_DstMatch, "Both"
    , temp_SrcMatch, "SrcDomain"
    , temp_DstMatch, "DstDomain"
    , "No match"
  )
| where ASimMatchingHostname != "No match"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment