Forum Discussion
Steven_Su
Feb 18, 2022Copper Contributor
Azure Sentinel's "Function" help
Hi, I want to make use of Function to set up exclusion rule, for example, src_ip=1.1.1.1 AND dest_ip=2.2.2.2, src_ip=3.3.3.3 AND signature=AAA. However, when I create the Function beginning with ...
- Mar 03, 2022
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Jonhed
Mar 01, 2022Steel Contributor
GaryBushey
Is it possible to pass a tabular argument to a stored function though?
I know it is possible with ad-hoc functions defined within the query itself, but I have yet to find a way to do this with stored functions.
At least when you use the Azure Portal GUI, it does not appear to be possible to define a parameter of the tabular type, only regular types such as string, long, dynamic etc.
GaryBushey
Mar 02, 2022Bronze Contributor
Jonhed If you look at the Examples section in the URL you listed, it shows how to pass in a table to a function:
let MyFilter = (T:(x:long), v:long) {
T | where x >= v
};
MyFilter((range x from 1 to 10 step 1), 9)
BTW, the range command returns a table.
- JonhedMar 08, 2022Steel Contributor
Regarding Function 2, it is not exactly what you wanted but you could do it like below.
Create function and save as below.
Name: Function2
Parameters: (string)aws_account_name, (string)src_ip
Function query:
iif(aws_account_name != "DevOps" and src_ip != "10.10.10.10","True","False")
Then use it like below.
It is a bit clumsier than what you wanted, but could do the trick.
Function1 | extend Function2 = Function2(aws_account_name,src_ip) | where Function2 == "True"
- Steven_SuMar 06, 2022Copper ContributorUnderstood and thank you for your explanation.
- GaryBusheyMar 03, 2022Bronze Contributor
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
- JonhedMar 03, 2022Steel Contributor
Yes, as I said I know you can do it in ad-hoc functions, where the function is defined within the same query that calls the function. (This is what the example shows)
But what Steven_Su is saying is that he wants to "save Function1 and Function2 as functions under "Workspace functions", meaning you need do it as a stored function.
When you save a function, you need to specify the parameters in the dialog, as you can see in the screenshot below, but there is no option to accept a table as a parameter in this case.
There is no mention of how to accept a table in stored functions in the official documents,
and I have seen other members asking about it, so I am not sure if it is doable in the way Steven_Su imagines it.