Watchlist file name as a function parameter

abon13 · ‎Oct 06 2022

Hi, I am writing a main function that calls out sub functions as per IoC's stored in the watchlist. Currently I have the watchlist file name in every sub-functions and was hoping if I can avoid these in such a way that we just call the main function with the file name as a parameter and this will in turn provide the watchlist file to the subfunctions too.

If you look at the first line of the below two sub functions, you will see I have the watchlist filename hardcoded there

IPsearch()
let watchlist_ip=(_GetWatchlist('TestWatchlist')| where Type == 'IP_Address'| project SearchKey);
let Office_Okta = (OfficeActivity
| union Okta_CL
| where TimeGenerated >= ago(1d)
| where ClientIP in (watchlist_ip) or client_ipAddress_s in (watchlist_ip)
| project TimeGenerated,  ClientIP, UserId

URLsearch()
let watchlist_search_url=(_GetWatchlist('TestWatchlist')| where Type == 'CMD_Process_File'| project SearchKey);
let Office=( OfficeActivity
|union NetworkFw
| where TimeGenerated >= ago(Time)
.
.
.
.);

Here is the current main function without watchlist file as a parameter

Main()

Ipsearch()
|union UrlSearch()

My plan is something like I only execute Main(WathclistFileName) to get the results. How do I do this ?

Main(WatchlistFileName)

IpSearch(filename_provided_in_the_main)
| union UrlSearch(filename_provided_in_the_main)

Clive_Watson · ‎Oct 07 2022

Materialize could help here https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/materializefunction but I've not tried it in a function like you describe.

This example is close to what you ask:

To use the let statement with a value that you use more than once, use the materialize() function. Try to push all possible operators that will reduce the materialized data set and still keep the semantics of the query. For example, use filters, or project only required columns.

Kusto

let materializedData = materialize(Table
| where Timestamp > ago(1d));
union (materializedData
| where Text !has "somestring"
| summarize dcount(Resource1)), (materializedData
| where Text !has "somestring"
| summarize dcount(Resource2))

abon13 · ‎Oct 10 2022

Would you be able to elaborate how i can use materialize for this use case ?

I am trying to understand even for making use of materialise, how can I call the watchlist file name made use in the main function.

abon13 · ‎Oct 10 2022

@abon13

So for example, I have a Watchlist with 7 rows of IP Addresses. I use materialize to cache the data with a let() to the name wList

let wList = materialize ( _GetWatchlist('ipa') );
union 
(
wList
| where SearchKey !startswith "188"
| count
),
(
wList
| where SearchKey startswith "188"
| count
)

As you can see (in this very brief example) I call wList twice but ask for different data each time

abon13 · ‎Oct 12 2022

thank you

abon13 · ‎Oct 10 2022

@abon13

So for example, I have a Watchlist with 7 rows of IP Addresses. I use materialize to cache the data with a let() to the name wList

let wList = materialize ( _GetWatchlist('ipa') );
union 
(
wList
| where SearchKey !startswith "188"
| count
),
(
wList
| where SearchKey startswith "188"
| count
)

As you can see (in this very brief example) I call wList twice but ask for different data each time

View solution in original post

Watchlist file name as a function parameter

Watchlist file name as a function parameter

Re: Watchlist file name as a function parameter

Re: Watchlist file name as a function parameter

Re: Watchlist file name as a function parameter

Re: Watchlist file name as a function parameter

Re: Watchlist file name as a function parameter

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Watchlist file name as a function parameter