cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Saving and using tabular functions in Sentinel

misstaek
Copper Contributor

‎Feb 09 2022 12:09 AM

‎Feb 09 2022 12:09 AM

Saving and using tabular functions in Sentinel

Hi

I am trying to define a function which takes in a list of IP ranges, then uses a watchlist of IP ranges and returns only the distinct IPs which belong to one of these ranges.

 

Here is the body:

 

let Watchlist = _GetWatchlist("guestNetworkRanges")

| extend crossJoin1 = 1;

let isInGuestRange = (distinctIPs:(IP:string))

{  

    Watchlist 

    | join(distinctIPs

    | extend crossJoin2 = 1) on $left.crossJoin1 == $right.crossJoin2 

    | extend isGuest = ipv4_is_in_range(IP, IPrange) // bool

    | where isGuest

}

;

isInGuestRange(distinctIPs)

 

I am unsure how to save the tabular function as the parameter is tabular (which is not one of the offered options?)

misstaek_0-1644393856713.png

I tried without any parameter (which complains that the function is not taking any parameter when used in a query), putting distinctIP as a dynamic parameter, or just saying that IP (row of distinctIP) is a string (both solution return the following error):

misstaek_1-1644394024915.png

I could find documentations where it is shown how to define a tabular function, but not how to save it, which is where I feel the problem is in this case.

 

Any advice on how to handle tabular function saving?

 

Thanks in advance!

Labels:
1,077 Views
0 Likes
1 Reply
Reply
1 Reply
Jonhed

‎Mar 08 2022 02:44 AM - edited ‎Mar 08 2022 02:48 AM

‎Mar 08 2022 02:44 AM - edited ‎Mar 08 2022 02:48 AM

Re: Saving and using tabular functions in Sentinel

It appears you cannot save a function that accepts tabular parameters,
they can only be defined within the query itself.

You should look at the "Watch listing by IP ranges: the mv-apply operator" section of the blog below, it shows how you could compare a bunch of IPs to a bunch of IP ranges.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/approximate-partial-and-combined-look...

 

This is another example of how to implement mv-apply. (the base logic is pretty much the same)

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-external-data-sources-to-enrich...

 

I have used this successfully to filter IPs that match any of the Azure service tags ranges.

1 Like
Reply