Forum Discussion

abon13's avatar
abon13
Brass Contributor
Oct 07, 2022

Watchlist file name as a function parameter

Hi, I am writing a main function that calls out sub functions as per IoC's stored in the watchlist.  Currently I have the watchlist file name in every sub-functions and was hoping if I can avoid these in such a way that we just call the main function with the file name as a parameter and this will in turn provide the watchlist file to the subfunctions too.

 

If you look at the first line of the below two sub functions, you will see I have the watchlist filename hardcoded there

 

 

IPsearch()
let watchlist_ip=(_GetWatchlist('TestWatchlist')| where Type == 'IP_Address'| project SearchKey);
let Office_Okta = (OfficeActivity
| union Okta_CL
| where TimeGenerated >= ago(1d)
| where ClientIP in (watchlist_ip) or client_ipAddress_s in (watchlist_ip)
| project TimeGenerated,  ClientIP, UserId

 

 

 

 

 

URLsearch()
let watchlist_search_url=(_GetWatchlist('TestWatchlist')| where Type == 'CMD_Process_File'| project SearchKey);
let Office=( OfficeActivity
|union NetworkFw
| where TimeGenerated >= ago(Time)
.
.
.
.);

 

 

 

Here is the current main function without watchlist file as a parameter

 

 

Main()

Ipsearch()
|union UrlSearch()

 

 

 

 

My plan is something like I only execute Main(WathclistFileName) to get the results. How do I do this ?

 

 

Main(WatchlistFileName)

IpSearch(filename_provided_in_the_main)
| union UrlSearch(filename_provided_in_the_main) 

 

 

 

 

  • abon13 

     

    So for example, I have a Watchlist with 7 rows of IP Addresses.  I use materialize to cache the data with a let() to the name wList

    let wList = materialize ( _GetWatchlist('ipa') );
    union 
    (
    wList
    | where SearchKey !startswith "188"
    | count
    ),
    (
    wList
    | where SearchKey startswith "188"
    | count
    )

    As you can see (in this very brief example) I call wList twice but ask for different data each time  

     

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Materialize could help here https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/materializefunction but I've not tried it in a function like you describe.

    This example is close to what you ask:

    To use the let statement with a value that you use more than once, use the materialize() function. Try to push all possible operators that will reduce the materialized data set and still keep the semantics of the query. For example, use filters, or project only required columns.

    Kusto

    let materializedData = materialize(Table
    | where Timestamp > ago(1d));
    union (materializedData
    | where Text !has "somestring"
    | summarize dcount(Resource1)), (materializedData
    | where Text !has "somestring"
    | summarize dcount(Resource2))
    • abon13's avatar
      abon13
      Brass Contributor
      Would you be able to elaborate how i can use materialize for this use case ?

      I am trying to understand even for making use of materialise, how can I call the watchlist file name made use in the main function.
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor

        abon13 

         

        So for example, I have a Watchlist with 7 rows of IP Addresses.  I use materialize to cache the data with a let() to the name wList

        let wList = materialize ( _GetWatchlist('ipa') );
        union 
        (
        wList
        | where SearchKey !startswith "188"
        | count
        ),
        (
        wList
        | where SearchKey startswith "188"
        | count
        )

        As you can see (in this very brief example) I call wList twice but ask for different data each time  

         

Resources