Forum Discussion
mergene
Aug 08, 2020Brass Contributor
Cross Workspace Analytic Rule Performance
Hi, I have several workspaces containing SecurityEvent table having data. When I perform a union on the workspaces and then do the filtering, calculation, etc., the query consumes too much resour...
- Aug 09, 2020
first, search should not be more performant than union, so the difference may be elsewhere.
As to your question: I can't think of a way to avoid repeating the query, however, I can make it simpler:
let Filter = (T:(EventID:int))
{
T | where EventID == 4624
};
union (workspace("a").SecurityEvent | invoke Filter()),(workspace("b").SecurityEvent | invoke Filter())While for a single condition it might not be much shorter, it is still more elegant, and will become much shorter if you have more conditions.
mergene
Aug 02, 2021Brass Contributor
You can transform a query into a function like in this post. Then invoke the function in one rule like:
union ( workspace01| invoke function_x()), (workspace02| invoke function_x()) )
There might be better ways. There is a MSSP guide for Azure Sentinel that you can check, if not already.
CliveWatson
Aug 02, 2021Microsoft