Open 0xFustang opened 3 weeks ago
Hello! Is there a way to apply rule_conditions in a post-processing? The idea would be to apply a post-processing based on a certain condition such as:
rule_conditions
- type: template template: |+ {{ query }} | extend ServiceName = tostring(ParsedFields.ServiceName) | project foo, bar, ServiceName rule_conditions: - type: contains_detection_item field: "Provider_Name" value: "Service Control Manager" - type: template template: |+ {{ query }} | extend Balance = tostring(ParsedFields.Bar) | project foo, Balance rule_conditions: - type: contains_detection_item field: "Provider_Name" value: "balance"
Postprocessing items are already capable of this. Did you tried it and it doesn't worked?
Description
Hello! Is there a way to apply
rule_conditions
in a post-processing? The idea would be to apply a post-processing based on a certain condition such as: