Forum Discussion
Saving and using tabular functions in Sentinel
Hi I am trying to define a function which takes in a list of IP ranges, then uses a watchlist of IP ranges and returns only the distinct IPs which belong to one of these ranges. Here is the body...
It appears you cannot save a function that accepts tabular parameters,
they can only be defined within the query itself.
You should look at the "Watch listing by IP ranges: the mv-apply operator" section of the blog below, it shows how you could compare a bunch of IPs to a bunch of IP ranges.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/approximate-partial-and-combined-lookups-in-azure-sentinel/ba-p/1393795
This is another example of how to implement mv-apply. (the base logic is pretty much the same)
I have used this successfully to filter IPs that match any of the Azure service tags ranges.
