Forum Discussion
Azure Sentinel's "Function" help
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
GaryBushey
Is it possible to pass a tabular argument to a stored function though?
I know it is possible with ad-hoc functions defined within the query itself, but I have yet to find a way to do this with stored functions.
At least when you use the Azure Portal GUI, it does not appear to be possible to define a parameter of the tabular type, only regular types such as string, long, dynamic etc.
Regarding Function 2, it is not exactly what you wanted but you could do it like below.
Create function and save as below.
Name: Function2
Parameters: (string)aws_account_name, (string)src_ip
Function query:
iif(aws_account_name != "DevOps" and src_ip != "10.10.10.10","True","False")Then use it like below.
It is a bit clumsier than what you wanted, but could do the trick.
Function1 | extend Function2 = Function2(aws_account_name,src_ip) | where Function2 == "True"- Understood and thank you for your explanation.
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Yes, as I said I know you can do it in ad-hoc functions, where the function is defined within the same query that calls the function. (This is what the example shows)
But what Steven_Su is saying is that he wants to "save Function1 and Function2 as functions under "Workspace functions", meaning you need do it as a stored function.
When you save a function, you need to specify the parameters in the dialog, as you can see in the screenshot below, but there is no option to accept a table as a parameter in this case.
There is no mention of how to accept a table in stored functions in the official documents,
and I have seen other members asking about it, so I am not sure if it is doable in the way Steven_Su imagines it.
Jonhed If you look at the Examples section in the URL you listed, it shows how to pass in a table to a function:
let MyFilter = (T:(x:long), v:long) { T | where x >= v }; MyFilter((range x from 1 to 10 step 1), 9)BTW, the range command returns a table.
