Blog Post

Microsoft Sentinel Blog
6 MIN READ

Using KQL functions to speed up analysis in Azure Sentinel

Pete Bryan's avatar
Pete Bryan
Icon for Microsoft rankMicrosoft
Jun 25, 2019
Security operations can often be a very repetitive role. As a security analyst, you will often find yourself conducting the same actions and tasks as you work through an investigation. Whilst it is a...
Updated Dec 29, 2020
Version 5.0
Hunting
investigation
Query
JeremyTBradshaw's avatar
JeremyTBradshaw
Steel Contributor
Apr 09, 2024

FYI, the screenshots seemed to have died.  Also, was wondering if there might be any tips on whether there's a way to use functions to accomplish the same thing as Property Sets (e.g., from ExchangeOnlineManagement PS module's Get-EXO***** functions which have certain -PropertySets to pick between.

 

For example, I can define the following as a function:

EmailEvents
| where SenderFromAddress =~ _SenderParameter
| extend DMARC = parse_json(AuthenticationDetails).DMARC
| extend SPF = parse_json(AuthenticationDetails).SPF
| extend DKIM = parse_json(AuthenticationDetails).DKIM
| extend CompAuth = parse_json(AuthenticationDetails).CompAuth
| project Timestamp, EmailDirection,RecipientEmailAddress, Subject, SenderDisplayName, SenderFromAddress, SenderFromDomain, SenderMailFromDomain, SenderIPv4,
DeliveryAction, SPF, DKIM, DMARC, CompAuth, BCL = BulkComplaintLevel, SCL = parse_json(ConfidenceLevel).Spam,PCL = parse_json(ConfidenceLevel).Phish,
EmailAction, SpamDetectionMethod = parse_json(DetectionMethods).Spam, PhishDetectionMethod = parse_json(DetectionMethods).Phish,
RecipientObjectId, AdditionalFields, InternetMessageId, NetworkMessageId, EmailClusterId

 ...but what I'd really like to do is just define this as a function, so that I could pump entire EmailEvents entities into the function, without having to control the filtering (i.e., where statements) in the function itself:

| extend DMARC = parse_json(AuthenticationDetails).DMARC
| extend SPF = parse_json(AuthenticationDetails).SPF
| extend DKIM = parse_json(AuthenticationDetails).DKIM
| extend CompAuth = parse_json(AuthenticationDetails).CompAuth
| project Timestamp, EmailDirection,RecipientEmailAddress, Subject, SenderDisplayName, SenderFromAddress, SenderFromDomain, SenderMailFromDomain, SenderIPv4,
DeliveryAction, SPF, DKIM, DMARC, CompAuth, BCL = BulkComplaintLevel, SCL = parse_json(ConfidenceLevel).Spam,PCL = parse_json(ConfidenceLevel).Phish,
EmailAction, SpamDetectionMethod = parse_json(DetectionMethods).Spam, PhishDetectionMethod = parse_json(DetectionMethods).Phish,
RecipientObjectId, AdditionalFields, InternetMessageId, NetworkMessageId, EmailClusterId

I know my current example of what I've after is incorrect, but wondering if there's something like this possible?