Forum Discussion
abon13
Oct 07, 2022Brass Contributor
Watchlist file name as a function parameter
Hi, I am writing a main function that calls out sub functions as per IoC's stored in the watchlist. Currently I have the watchlist file name in every sub-functions and was hoping if I can avoid these in such a way that we just call the main function with the file name as a parameter and this will in turn provide the watchlist file to the subfunctions too.
If you look at the first line of the below two sub functions, you will see I have the watchlist filename hardcoded there
IPsearch()
let watchlist_ip=(_GetWatchlist('TestWatchlist')| where Type == 'IP_Address'| project SearchKey);
let Office_Okta = (OfficeActivity
| union Okta_CL
| where TimeGenerated >= ago(1d)
| where ClientIP in (watchlist_ip) or client_ipAddress_s in (watchlist_ip)
| project TimeGenerated, ClientIP, UserId
URLsearch()
let watchlist_search_url=(_GetWatchlist('TestWatchlist')| where Type == 'CMD_Process_File'| project SearchKey);
let Office=( OfficeActivity
|union NetworkFw
| where TimeGenerated >= ago(Time)
.
.
.
.);
Here is the current main function without watchlist file as a parameter
Main()
Ipsearch()
|union UrlSearch()
My plan is something like I only execute Main(WathclistFileName) to get the results. How do I do this ?
Main(WatchlistFileName)
IpSearch(filename_provided_in_the_main)
| union UrlSearch(filename_provided_in_the_main)
So for example, I have a Watchlist with 7 rows of IP Addresses. I use materialize to cache the data with a let() to the name wList
let wList = materialize ( _GetWatchlist('ipa') ); union ( wList | where SearchKey !startswith "188" | count ), ( wList | where SearchKey startswith "188" | count )
As you can see (in this very brief example) I call wList twice but ask for different data each time
- Clive_WatsonBronze ContributorMaterialize could help here https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/materializefunction but I've not tried it in a function like you describe.
This example is close to what you ask:
To use the let statement with a value that you use more than once, use the materialize() function. Try to push all possible operators that will reduce the materialized data set and still keep the semantics of the query. For example, use filters, or project only required columns.
Kusto
let materializedData = materialize(Table
| where Timestamp > ago(1d));
union (materializedData
| where Text !has "somestring"
| summarize dcount(Resource1)), (materializedData
| where Text !has "somestring"
| summarize dcount(Resource2))- abon13Brass ContributorWould you be able to elaborate how i can use materialize for this use case ?
I am trying to understand even for making use of materialise, how can I call the watchlist file name made use in the main function.- Clive_WatsonBronze Contributor
So for example, I have a Watchlist with 7 rows of IP Addresses. I use materialize to cache the data with a let() to the name wList
let wList = materialize ( _GetWatchlist('ipa') ); union ( wList | where SearchKey !startswith "188" | count ), ( wList | where SearchKey startswith "188" | count )
As you can see (in this very brief example) I call wList twice but ask for different data each time