Feb 17 2022 06:30 PM
Hi,
I want to make use of Function to set up exclusion rule, for example, src_ip=1.1.1.1 AND dest_ip=2.2.2.2, src_ip=3.3.3.3 AND signature=AAA. However, when I create the Function beginning with "|" or "where", it could not be loaded in the original search. We did not include the data source here because we have another function to do the data normalization.
So could I still use Function in this way or is there any other better approach to do such exclusion? Thanks!
Feb 18 2022 03:49 AM
@Steven_Su You will need to pass in a table to perform the actions against. Take a look at User-defined functions - Azure Data Explorer | Microsoft Docs for some example of how you can pass in a specific table or one an unknown table.
Feb 24 2022 12:22 AM
@Gary Bushey Hi Sorry for the late reply since we are quite new to Sentinel and wanna migrate our AWS SIEM detection use case to Sentinel
Now our use case is that we want to have 2 function:
Function 1: field normalization (shared and used by all the AWS use case)
AWSCloudTrail
| project-rename
event_name = EventName,
src_ip = SourceIpAddress,
target_account_id = RecipientAccountId
Function 2: exclusion rule for use case A (used by single AWS use case)
where aws_account_name != "DevOps" and src_ip != "10.10.10.10"
So now we are writing the KQL for the case A which requires the both functions. However it seems no working. In the link: https://docs.microsoft.com/en-us/azure/sentinel/false-positives#modify-the-query it suggested to directly modify the query, but we still want to see if it is possible to keep the exception condition in the function.
Thank you.
Feb 25 2022 04:38 AM
@Steven_Su If you want to add Function 2 as part of Function 1 but want to be able to change the aws_account_name and src_ip, you will need to pass those variables into the function and then use the variables in the code. Something like
let CheckAWS = (account:string, ipaddress: string) {
AWSCloudTrail
| where aws_account_name != account and src_ip != ipaddress
}
Feb 27 2022 12:51 AM
Hi Gary,
Thank you very much for your response. I guest maybe I am not explaining the issue clearly.
We want to have 2 separate functions so that we could invoke them in other KQL queries (different AWS use cases) like
Function1
Function2
|summarize ... by ...
The Function 1 doing the data normalization is the same for all the queries while Function 2 is the exclusion and is different case by case. That's why we need to create dedicated function for it. So it seems your suggestion may not suit the requirement.
Feb 28 2022 03:40 AM
@Steven_Su If I understand what you need, the first function needs to return a normalized table and then the second function needs to act upon that table. So something like:
let normalizedTable = Function1();
let response = Function2(normalizedTable);
response
If that is the case then Function2 would need to be able to accept the table that you want to perform the summarize on. You cannot just start a function with "| summarize". It can return its own table and then you can just display that table.
Mar 01 2022 02:47 AM
Mar 01 2022 07:27 AM
@Gary Bushey
Is it possible to pass a tabular argument to a stored function though?
I know it is possible with ad-hoc functions defined within the query itself, but I have yet to find a way to do this with stored functions.
At least when you use the Azure Portal GUI, it does not appear to be possible to define a parameter of the tabular type, only regular types such as string, long, dynamic etc.
Mar 02 2022 05:38 AM
@Jonhed If you look at the Examples section in the URL you listed, it shows how to pass in a table to a function:
let MyFilter = (T:(x:long), v:long) {
T | where x >= v
};
MyFilter((range x from 1 to 10 step 1), 9)
BTW, the range command returns a table.
Mar 02 2022 04:37 PM - edited Mar 02 2022 04:40 PM
Yes, as I said I know you can do it in ad-hoc functions, where the function is defined within the same query that calls the function. (This is what the example shows)
But what @Steven_Su is saying is that he wants to "save Function1 and Function2 as functions under "Workspace functions", meaning you need do it as a stored function.
When you save a function, you need to specify the parameters in the dialog, as you can see in the screenshot below, but there is no option to accept a table as a parameter in this case.
There is no mention of how to accept a table in stored functions in the official documents,
and I have seen other members asking about it, so I am not sure if it is doable in the way @Steven_Su imagines it.
Mar 02 2022 11:11 PM
Yes, you are correct, it is my question regarding the usage
Mar 03 2022 03:49 AM
Solution@Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Mar 06 2022 01:34 AM
Mar 08 2022 02:26 AM
Regarding Function 2, it is not exactly what you wanted but you could do it like below.
Create function and save as below.
Name: Function2
Parameters: (string)aws_account_name, (string)src_ip
Function query:
iif(aws_account_name != "DevOps" and src_ip != "10.10.10.10","True","False")
Then use it like below.
It is a bit clumsier than what you wanted, but could do the trick.
Function1
| extend Function2 = Function2(aws_account_name,src_ip)
| where Function2 == "True"
Mar 03 2022 03:49 AM
Solution@Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.