I am trying to define a function which takes in a list of IP ranges, then uses a watchlist of IP ranges and returns only the distinct IPs which belong to one of these ranges.
Here is the body:
let Watchlist = _GetWatchlist("guestNetworkRanges")
| extend crossJoin1 = 1;
let isInGuestRange = (distinctIPs:(IP:string))
| extend crossJoin2 = 1) on $left.crossJoin1 == $right.crossJoin2
| extend isGuest = ipv4_is_in_range(IP, IPrange) // bool
| where isGuest
I am unsure how to save the tabular function as the parameter is tabular (which is not one of the offered options?)
I tried without any parameter (which complains that the function is not taking any parameter when used in a query), putting distinctIP as a dynamic parameter, or just saying that IP (row of distinctIP) is a string (both solution return the following error):
I could find documentations where it is shown how to define a tabular function, but not how to save it, which is where I feel the problem is in this case.
Any advice on how to handle tabular function saving?
Thanks in advance!