Migrate Splunk detection rules to Microsoft Sentinel

Splunk along with EventID decoding and other useful features Bro Bro PE coalesce

coalesce 複数の値を順番に確認し、最初に NULL 以外となった値を返す関数です。 異なる項目名で同じ

coalesce synonyms EVAL-parent_process_guid = case(coalesce == null, null(),

splunk coalesce Using the splunk coalesce command can create a new field with information from both fields and can also insert a value if none exists